{"id":"CVE-2022-38398","summary":"Server-Side Request Forgery Information Disclosure Vulnerability","details":"Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to load a url thru the jar protocol. This issue affects Apache XML Graphics Batik 1.14.","aliases":["GHSA-c5xv-qc8p-mh2v"],"modified":"2026-05-18T05:53:59.150522663Z","published":"2022-09-22T00:00:00Z","related":["SUSE-SU-2024:0777-1","openSUSE-SU-2024:12363-1"],"database_specific":{"cna_assigner":"apache","cwe_ids":["CWE-918"],"unresolved_ranges":[{"extracted_events":[{"last_affected":"Batik 1.14"}],"source":"AFFECTED_FIELD"}],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/38xxx/CVE-2022-38398.json"},"references":[{"type":"WEB","url":"https://lists.apache.org/thread/712c9xwtmyghyokzrm2ml6sps4xlmbsx"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/07/msg00006.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/38xxx/CVE-2022-38398.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-38398"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/202401-11"},{"type":"ARTICLE","url":"https://lists.debian.org/debian-lts-announce/2023/10/msg00021.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/apache/xmlgraphics-batik","events":[{"introduced":"0"},{"last_affected":"6f03c1c80f51f53c61d506a544d810bfc111ec4f"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"last_affected":"1.14"}],"cpe":"cpe:2.3:a:apache:batik:1.14:*:*:*:*:*:*:*","source":"CPE_FIELD"}}],"versions":["batik-1_14"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-38398.json"}}],"schema_version":"1.7.5"}