{"id":"CVE-2022-40146","summary":"Jar url should be blocked by DefaultScriptSecurity","details":"Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to access files using a Jar url. This issue affects Apache XML Graphics Batik 1.14.","aliases":["GHSA-h4qg-p7r2-cpg3"],"modified":"2026-05-15T11:53:40.579487373Z","published":"2022-09-22T00:00:00Z","related":["SUSE-SU-2024:0777-1","openSUSE-SU-2024:12363-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/40xxx/CVE-2022-40146.json","unresolved_ranges":[{"extracted_events":[{"last_affected":"Batik 1.14"}],"source":"AFFECTED_FIELD"}],"cwe_ids":["CWE-918"],"cna_assigner":"apache"},"references":[{"type":"WEB","url":"https://lists.apache.org/thread/hxtddqjty2sbs12y97c8g7xfh17jzxsx"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/07/msg00006.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/40xxx/CVE-2022-40146.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-40146"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/202401-11"},{"type":"ARTICLE","url":"https://lists.debian.org/debian-lts-announce/2023/10/msg00021.html"}],"schema_version":"1.7.5"}