all InfoSec news
Vulnerabilities in Apache Batik Default Security Controls – SSRF and RCE Through Remote Class Loading
Zero Day Initiative - Blog www.zerodayinitiative.com
Introduction
I stumbled upon the Apache Batik library while researching other Java-based products. It immediately caught my attention, as this library parses Scalable Vector Graphics (SVG) files and transforms them into different raster graphics formats (i.e., PNG, PDF, or JPEG). I was even more encouraged when I looked at the Batik documentation. It was obvious that such a library could be prone to Server-Side Request Forgery (SSRF) issues (e.g., loading of images from remote resources). However, the documentation shows …
apache blog post class controls rce security security controls ssrf vulnerabilities