[BATIK-1338] Block loading jar inside svg - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 1.16
Component/s: None
Labels:
None

Description

We should block loading jars by default to avoid running untrusted code:

<script type="application/java-archive" xlink:href="file.jar"/>

CVE-2022-41704

Attachments

Issue Links

relates to

FOP-3104 A FOP 2.7.1 hotfix release with only updated batik dependencies to 1.16

Resolved

Activity

People

Assignee:: Simon Steiner

Reporter:: Simon Steiner

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 28/Sep/22 10:57

Updated:: 01/Nov/22 09:19

Resolved:: 28/Sep/22 10:59