Miggo Logo
Miggo Vulnerability Database
CVE-2022-44729

CVE-2022-44729:
Apache XML Graphics Batik Server-Side Request Forgery vulnerability

7.1

CVSS Score

Basic Information

CVE ID
CVE-2022-44729
GHSA ID
GHSA-gq5f-xv48-2365
EPSS Score
-
CWE
CWE-918
Published
8/22/2023
Updated
2/13/2025
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.apache.xmlgraphics:batik-bridgemaven>= 1.0, < 1.171.17
org.apache.xmlgraphics:batik-svgrasterizermaven>= 1.0, < 1.171.17
org.apache.xmlgraphics:batik-transcodermaven>= 1.0, < 1.171.17

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability arises from insecure defaults allowing external resource loading. The commit diff shows critical changes: (1) SVGAbstractTranscoder's isAllowExternalResources() method originally returned 'true' by default (changed to 'false' in the patch), and (2) SVGConverter's allowExternalResources field was initialized to 'true' (removed in the patch). These defaults permitted SSRF via malicious SVG files. The CLI option inversion (from '-blockExternalResources' to '-allowExternalResources') further confirms the shift from permissive to restrictive defaults.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

S*rv*r-Si** R*qu*st *or**ry (SSR*) vuln*r**ility in *p**** So*tw*r* *oun**tion *p**** XML *r*p*i*s **tik.T*is issu* *****ts *p**** XML *r*p*i*s **tik: *.**. On v*rsion *.**, * m*li*ious SV* *oul* tri***r lo**in* *xt*rn*l r*sour**s *y ****ult, **usin

Reasoning

T** vuln*r**ility *ris*s *rom ins**ur* ****ults *llowin* *xt*rn*l r*sour** lo**in*. T** *ommit *i** s*ows *riti**l ***n**s: (*) SV***str**tTr*ns*o**r's is*llow*xt*rn*lR*sour**s() m*t*o* ori*in*lly r*turn** 'tru*' *y ****ult (***n*** to '**ls*' in t**