CVE-2022-38398 - Vulnerability Details - OpenCVE

Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to load a url thru the jar protocol. This issue affects Apache XML Graphics Batik 1.14.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Apache	Batik
Debian	Debian Linux
Redhat	Camel Spring Boot Jboss Fuse

Configuration 1 [-]

cpe:2.3:a:apache:batik:1.14:*:*:*:*:*:*:*

Configuration 2 [-]

cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

Package	CPE	Advisory	Released Date
Red Hat Fuse 7.12
batik	cpe:/a:redhat:jboss_fuse:7	RHSA-2023:3954	2023-06-29T00:00:00Z
RHINT Camel-Springboot 3.20.1
batik	cpe:/a:redhat:camel_spring_boot:3.20.1	RHSA-2023:2100	2023-05-03T00:00:00Z

References

Link	Providers
http://svn.apache.org/viewvc?view=revision&revision=1903462
https://issues.apache.org/jira/browse/BATIK-1331
https://lists.apache.org/thread/712c9xwtmyghyokzrm2ml6sps4xlmbsx
https://lists.debian.org/debian-lts-announce/2023/10/msg00021.html
https://lists.debian.org/debian-lts-announce/2025/07/msg00006.html
https://nvd.nist.gov/vuln/detail/CVE-2022-38398
https://security.gentoo.org/glsa/202401-11
https://www.cve.org/CVERecord?id=CVE-2022-38398

History

Mon, 03 Nov 2025 20:30:00 +0000

Type	Values Removed	Values Added
References		https://lists.debian.org/debian-lts-announce/2025/07/msg00006.html

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2022-09-22T00:00:00.000Z

Updated: 2025-11-03T19:27:24.506Z

Reserved: 2022-08-18T00:00:00.000Z

Link: CVE-2022-38398

Vulnrichment

No data.

NVD

Status : Modified

Published: 2022-09-22T15:15:09.287

Modified: 2025-11-03T20:15:56.057

Link: CVE-2022-38398

Redhat

Severity : Moderate

Publid Date: 2022-09-22T00:00:00Z

Links: CVE-2022-38398 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-38398", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "dateUpdated": "2025-11-03T19:27:24.506Z", "dateReserved": "2022-08-18T00:00:00.000Z", "datePublished": "2022-09-22T00:00:00.000Z"}, "containers": {"cna": {"title": "Server-Side Request Forgery Information Disclosure Vulnerability", "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2024-01-07T11:06:23.622Z"}, "descriptions": [{"lang": "en", "value": "Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to load a url thru the jar protocol. This issue affects Apache XML Graphics Batik 1.14."}], "affected": [{"vendor": "Apache Software Foundation", "product": "Apache XML Graphics", "versions": [{"version": "Batik 1.14", "status": "affected"}]}], "references": [{"url": "https://lists.apache.org/thread/712c9xwtmyghyokzrm2ml6sps4xlmbsx"}, {"name": "[debian-lts-announce] 20231014 [SECURITY] [DLA 3619-1] batik security update", "tags": ["mailing-list"], "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00021.html"}, {"name": "GLSA-202401-11", "tags": ["vendor-advisory"], "url": "https://security.gentoo.org/glsa/202401-11"}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-918 Server-Side Request Forgery (SSRF)", "cweId": "CWE-918"}]}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "source": {"discovery": "UNKNOWN"}}, "adp": [{"title": "CVE Program Container", "references": [{"url": "https://lists.apache.org/thread/712c9xwtmyghyokzrm2ml6sps4xlmbsx", "tags": ["x_transferred"]}, {"name": "[debian-lts-announce] 20231014 [SECURITY] [DLA 3619-1] batik security update", "tags": ["mailing-list", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00021.html"}, {"name": "GLSA-202401-11", "tags": ["vendor-advisory", "x_transferred"], "url": "https://security.gentoo.org/glsa/202401-11"}, {"url": "https://lists.debian.org/debian-lts-announce/2025/07/msg00006.html"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-11-03T19:27:24.506Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:batik:1.14:*:*:*:*:*:*:*", "matchCriteriaId": "0F4442FE-A805-4B59-BA99-9E492F793BAB", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to load a url thru the jar protocol. This issue affects Apache XML Graphics Batik 1.14."}, {"lang": "es", "value": "Una vulnerabilidad de tipo Server-Side Request Forgery (SSRF) en Batik de Apache XML Graphics permite a un atacante cargar una url mediante el protocolo jar. Este problema afecta a Batik de Apache XML Graphics versi\u00f3n 1.14"}], "id": "CVE-2022-38398", "lastModified": "2025-11-03T20:15:56.057", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "[email protected]", "type": "Primary"}]}, "published": "2022-09-22T15:15:09.287", "references": [{"source": "[email protected]", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread/712c9xwtmyghyokzrm2ml6sps4xlmbsx"}, {"source": "[email protected]", "tags": ["Mailing List"], "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00021.html"}, {"source": "[email protected]", "url": "https://security.gentoo.org/glsa/202401-11"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread/712c9xwtmyghyokzrm2ml6sps4xlmbsx"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List"], "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00021.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.debian.org/debian-lts-announce/2025/07/msg00006.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://security.gentoo.org/glsa/202401-11"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "[email protected]", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-918"}], "source": "[email protected]", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2023:3954", "cpe": "cpe:/a:redhat:jboss_fuse:7", "package": "batik", "product_name": "Red Hat Fuse 7.12", "release_date": "2023-06-29T00:00:00Z"}, {"advisory": "RHSA-2023:2100", "cpe": "cpe:/a:redhat:camel_spring_boot:3.20.1", "package": "batik", "product_name": "RHINT Camel-Springboot 3.20.1", "release_date": "2023-05-03T00:00:00Z"}], "bugzilla": {"description": "batik: Server-Side Request Forgery", "id": "2155292", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155292"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "status": "verified"}, "cwe": "CWE-918", "details": ["Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to load a url thru the jar protocol. This issue affects Apache XML Graphics Batik 1.14."], "name": "CVE-2022-38398", "package_state": [{"cpe": "cpe:/a:redhat:quarkus:2", "fix_state": "Will not fix", "package_name": "batik", "product_name": "Red Hat build of Quarkus"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_brms_platform:7", "fix_state": "Out of support scope", "package_name": "batik", "product_name": "Red Hat Decision Manager 7"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Affected", "package_name": "batik", "product_name": "Red Hat Integration Camel K 1"}, {"cpe": "cpe:/a:redhat:camel_quarkus:2", "fix_state": "Will not fix", "package_name": "batik", "product_name": "Red Hat Integration Camel Quarkus 1"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:7", "fix_state": "Out of support scope", "package_name": "batik", "product_name": "Red Hat JBoss Data Grid 7"}, {"cpe": "cpe:/a:redhat:jboss_fuse:6", "fix_state": "Out of support scope", "package_name": "batik", "product_name": "Red Hat JBoss Fuse 6"}, {"cpe": "cpe:/a:redhat:jboss_fuse_service_works:6", "fix_state": "Out of support scope", "package_name": "batik", "product_name": "Red Hat JBoss Fuse Service Works 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", "fix_state": "Out of support scope", "package_name": "batik", "product_name": "Red Hat Process Automation 7"}], "public_date": "2022-09-22T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-38398\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-38398\nhttp://svn.apache.org/viewvc?view=revision&revision=1903462\nhttps://issues.apache.org/jira/browse/BATIK-1331\nhttps://lists.apache.org/thread/712c9xwtmyghyokzrm2ml6sps4xlmbsx"], "threat_severity": "Moderate"}