{ "document":{ "aggregate_severity":{ "namespace":"https://nvd.nist.gov/vuln-metrics/cvss", "text":"High" }, "category":"csaf_vex", "csaf_version":"2.0", "distribution":{ "tlp":{ "label":"WHITE", "url":"https:/www.first.org/tlp/" } }, "lang":"en", "notes":[ { "text":"batik security update", "category":"general", "title":"Synopsis" }, { "text":"An update for batik is now available for openEuler-22.03-LTS.", "category":"general", "title":"Summary" }, { "text":"Batik is an inline templating engine for CoffeeScript, inspired by CoffeeKup, that lets you write your template directly as a CoffeeScript function.\n\nSecurity Fix(es):\n\nA vulnerability in Batik of Apache XML Graphics allows an attacker to run untrusted Java code from an SVG. This issue affects Apache XML Graphics prior to 1.16. It is recommended to update to version 1.16.(CVE-2022-41704)\n\nA vulnerability in Batik of Apache XML Graphics allows an attacker to run Java code from untrusted SVG via JavaScript. This issue affects Apache XML Graphics prior to 1.16. Users are recommended to upgrade to version 1.16.(CVE-2022-42890)", "category":"general", "title":"Description" }, { "text":"An update for batik is now available for openEuler-22.03-LTS.\n\nopenEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.", "category":"general", "title":"Topic" }, { "text":"High", "category":"general", "title":"Severity" }, { "text":"batik", "category":"general", "title":"Affected Component" } ], "publisher":{ "issuing_authority":"openEuler security committee", "name":"openEuler", "namespace":"https://www.openeuler.org", "contact_details":"openeuler-security@openeuler.org", "category":"vendor" }, "references":[ { "summary":"openEuler-SA-2023-1051", "category":"self", "url":"https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2023-1051" }, { "summary":"CVE-2022-41704", "category":"self", "url":"https://www.openeuler.org/en/security/cve/detail?cveId=CVE-2022-41704&packageName=batik" }, { "summary":"CVE-2022-42890", "category":"self", "url":"https://www.openeuler.org/en/security/cve/detail?cveId=CVE-2022-42890&packageName=batik" }, { "summary":"nvd cve", "category":"external", "url":"https://nvd.nist.gov/vuln/detail/CVE-2022-41704" }, { "summary":"nvd cve", "category":"external", "url":"https://nvd.nist.gov/vuln/detail/CVE-2022-42890" }, { "summary":"openEuler-SA-2023-1051 vex file", "category":"self", "url":"https://repo.openeuler.org/security/data/csaf/advisories/2023/csaf-openeuler-sa-2023-1051.json" } ], "title":"An update for batik is now available for openEuler-22.03-LTS", "tracking":{ "initial_release_date":"2023-02-03T14:14:49+08:00", "revision_history":[ { "date":"2023-02-03T14:14:49+08:00", "summary":"Initial", "number":"1.0.0" }, { "date":"2024-10-31T14:14:49+08:00", "summary":"final", "number":"2.0.0" } ], "generator":{ "date":"2024-10-31T14:14:49+08:00", "engine":{ "name":"openEuler CSAF Tool V1.0" } }, "current_release_date":"2024-10-31T14:14:49+08:00", "id":"openEuler-SA-2023-1051", "version":"2.0.0", "status":"final" } }, "product_tree":{ "branches":[ { "name":"openEuler", "category":"vendor", "branches":[ { "name":"openEuler", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS" }, "product_id":"openEuler-22.03-LTS", "name":"openEuler-22.03-LTS" }, "name":"openEuler-22.03-LTS", "category":"product_version" } ], "category":"product_name" }, { "name":"noarch", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS" }, "product_id":"batik-1.10-7.oe2203.noarch.rpm", "name":"batik-1.10-7.oe2203.noarch.rpm" }, "name":"batik-1.10-7.oe2203.noarch.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS" }, "product_id":"batik-help-1.10-7.oe2203.noarch.rpm", "name":"batik-help-1.10-7.oe2203.noarch.rpm" }, "name":"batik-help-1.10-7.oe2203.noarch.rpm", "category":"product_version" } ], "category":"architecture" }, { "name":"src", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS" }, "product_id":"batik-1.10-7.oe2203.src.rpm", "name":"batik-1.10-7.oe2203.src.rpm" }, "name":"batik-1.10-7.oe2203.src.rpm", "category":"product_version" } ], "category":"architecture" } ] } ], "relationships":[ { "relates_to_product_reference":"openEuler-22.03-LTS", "product_reference":"batik-1.10-7.oe2203.noarch.rpm", "full_product_name":{ "product_id":"openEuler-22.03-LTS:batik-1.10-7.oe2203.noarch", "name":"batik-1.10-7.oe2203.noarch as a component of openEuler-22.03-LTS" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-22.03-LTS", "product_reference":"batik-help-1.10-7.oe2203.noarch.rpm", "full_product_name":{ "product_id":"openEuler-22.03-LTS:batik-help-1.10-7.oe2203.noarch", "name":"batik-help-1.10-7.oe2203.noarch as a component of openEuler-22.03-LTS" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-22.03-LTS", "product_reference":"batik-1.10-7.oe2203.src.rpm", "full_product_name":{ "product_id":"openEuler-22.03-LTS:batik-1.10-7.oe2203.src", "name":"batik-1.10-7.oe2203.src as a component of openEuler-22.03-LTS" }, "category":"default_component_of" } ] }, "vulnerabilities":[ { "cve":"CVE-2022-41704", "notes":[ { "text":"A vulnerability in Batik of Apache XML Graphics allows an attacker to run untrusted Java code from an SVG. This issue affects Apache XML Graphics prior to 1.16. It is recommended to update to version 1.16.", "category":"description", "title":"Vulnerability Description" } ], "product_status":{ "fixed":[ "openEuler-22.03-LTS:batik-1.10-7.oe2203.noarch", "openEuler-22.03-LTS:batik-help-1.10-7.oe2203.noarch", "openEuler-22.03-LTS:batik-1.10-7.oe2203.src" ] }, "remediations":[ { "product_ids":[ "openEuler-22.03-LTS:batik-1.10-7.oe2203.noarch", "openEuler-22.03-LTS:batik-help-1.10-7.oe2203.noarch", "openEuler-22.03-LTS:batik-1.10-7.oe2203.src" ], "details":"batik security update", "category":"vendor_fix", "url":"https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2023-1051" } ], "scores":[ { "cvss_v3":{ "baseSeverity":"HIGH", "baseScore":7.5, "vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version":"3.1" }, "products":[ "openEuler-22.03-LTS:batik-1.10-7.oe2203.noarch", "openEuler-22.03-LTS:batik-help-1.10-7.oe2203.noarch", "openEuler-22.03-LTS:batik-1.10-7.oe2203.src" ] } ], "threats":[ { "details":"High", "category":"impact" } ], "title":"CVE-2022-41704" }, { "cve":"CVE-2022-42890", "notes":[ { "text":"A vulnerability in Batik of Apache XML Graphics allows an attacker to run Java code from untrusted SVG via JavaScript. This issue affects Apache XML Graphics prior to 1.16. Users are recommended to upgrade to version 1.16.", "category":"description", "title":"Vulnerability Description" } ], "product_status":{ "fixed":[ "openEuler-22.03-LTS:batik-1.10-7.oe2203.noarch", "openEuler-22.03-LTS:batik-help-1.10-7.oe2203.noarch", "openEuler-22.03-LTS:batik-1.10-7.oe2203.src" ] }, "remediations":[ { "product_ids":[ "openEuler-22.03-LTS:batik-1.10-7.oe2203.noarch", "openEuler-22.03-LTS:batik-help-1.10-7.oe2203.noarch", "openEuler-22.03-LTS:batik-1.10-7.oe2203.src" ], "details":"batik security update", "category":"vendor_fix", "url":"https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2023-1051" } ], "scores":[ { "cvss_v3":{ "baseSeverity":"HIGH", "baseScore":7.5, "vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version":"3.1" }, "products":[ "openEuler-22.03-LTS:batik-1.10-7.oe2203.noarch", "openEuler-22.03-LTS:batik-help-1.10-7.oe2203.noarch", "openEuler-22.03-LTS:batik-1.10-7.oe2203.src" ] } ], "threats":[ { "details":"High", "category":"impact" } ], "title":"CVE-2022-42890" } ] }