CVE-2022-44730: 
Java vulnerability analysis and mitigation

A Server-Side Request Forgery (SSRF) vulnerability was identified in Apache XML Graphics Batik, affecting versions 1.0 through 1.16. The vulnerability (CVE-2022-44730) allows a malicious SVG to probe user profile/data and send it directly as a parameter to a URL. The issue was disclosed on August 22, 2023, and was assigned a CVSS v3.1 base score of 4.4 (Medium) (NVD).

The vulnerability has been assigned a CVSS v3.1 vector of CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N, indicating local attack vector, low attack complexity, no privileges required, user interaction required, unchanged scope, and low impact on confidentiality and integrity with no impact on availability (NVD). The issue involves the Rhino component, where the fix involved switching to an empty whitelist (OSS Security).

The vulnerability allows attackers to probe user profile data and transmit it as a URL parameter, potentially leading to information disclosure. The CVSS scoring indicates low impact on both confidentiality and integrity of the system (NVD).

Users are advised to upgrade to Batik version 1.17 or later to address this vulnerability. The fix implements an empty whitelist for Rhino to prevent the SSRF issue (Apache Security, OSS Security).

The vulnerability was independently reported by Julien Lacour and was addressed by the Apache XML Graphics team. The issue was initially classified as an information disclosure vulnerability, though there was some discussion about the accuracy of this classification (OSS Security).