[I] CVE-2022-44729 Apache XML Graphics Batik v1.16 Server-Side Request Forgery vulnerability [jmeter]

Mon, 26 Feb 2024 23:34:07 -0800 


nkshschdv opened a new issue, #6241:
URL: https://github.com/apache/jmeter/issues/6241

   ### Expected behavior
   
   Microsoft Defender for cloud on Azure  has detected a vulnerability 
CVE-2022-44729 in apache-jmeter-5.6.3 Please find report below 
   `Critical and High severity vulnerabilities detected in your CNAB bundle by 
scanning referenced images with Microsoft Defender for Cloud. To know more 
about the vulnerability scanning process go to  
https://aka.ms/Container-Certification-Vulnerability-Found. Details about the 
Vulnerabilities detected are:
   Source image: xxxxxxxx.azurecr.io/xxxxxxx
   Image digestId: 
sha256:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
   VulnerabilityId: 994981
   CVSS version 3 score: 7.1
   CVE Ids: 
   link= http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44729 and 
CveId= CVE-2022-44729
   
   
   Vulnerability Information: Server-Side Request Forgery (SSRF) vulnerability 
in Apache Software Foundation Apache XML Graphics Batik.This issue affects 
Apache XML Graphics Batik: 1.16.
   Remediation Steps: Refer to Github security advisory 
[GHSA-gq5f-xv48-2365](https://github.com/advisories/GHSA-gq5f-xv48-2365) for 
updates and patch information.
   
   Patch:
   
   Following are links for downloading patches to fix the vulnerabilities:
   
    
[GHSA-gq5f-xv48-2365:org.apache.xmlgraphics:batik-bridge](https://github.com/advisories/GHSA-gq5f-xv48-2365)
   
   
   `
   
   On searching my container , i can find following location as showing in 
screenshot leading to jmeter installation 
   
![image](https://github.com/apache/jmeter/assets/15321028/95842cb0-a348-4e71-b6fd-955a88f84d34)
   
   
   
   ### Actual behavior
   
   The version for 
   1. org.apache.xmlgraphics:batik-bridge 
   2. org.apache.xmlgraphics:batik-transcoder 
   should be 1.17 or higher 
   
   ### Steps to reproduce the problem
   
   1. Install the jmeter in Ubuntu Linux 
   2. search the keyword using "find / -path /proc -prune -o -iname "*batik*" 
-print"
   3. Some of the results will point to version of batik-bridge 1.16 and 
batik-transcoder 1.16 , a vulnerable version
   
   ### JMeter Version
   
   5.6.3
   
   ### Java Version
   
   openjdk version "11.0.22" 2024-01-16
   
   ### OS Version
   
   Linux 62ef50357f09 5.15.0-1057-azure #65~20.04.1-Ubuntu SMP Mon Feb 12 
17:26:40 UTC 2024 x86_64 GNU/Linux


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@jmeter.apache.org.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Reply via email to