Bug 65355 - Vulnerability through the batik-all deopendency
Summary: Vulnerability through the batik-all deopendency
Alias: None
Product: POI
Classification: Unclassified
Component: POI Overall (show other bugs)
Version: 5.0.0-FINAL
Hardware: PC All
: P2 major (vote)
Target Milestone: ---
Assignee: POI Developers List
: 65421 (view as bug list)
Depends on:
Reported: 2021-06-04 09:47 UTC by Laurent
Modified: 2021-07-01 15:05 UTC (History)
2 users (show)


Note You need to log in before you can comment on or make changes to this bug.
Description Laurent 2021-06-04 09:47:44 UTC

We're getting a warning regarding some vulnerability induced by the batik-all dependency when using poi-ooxml.

[ERROR]   org.apache.xmlgraphics:batik-transcoder:jar:1.13:compile; https://ossindex.sonatype.org/component/pkg:maven/org.apache.xmlgraphics/batik-transcoder@1.13?utm_source=ossindex-client&utm_medium=integration&utm_content=1.1.1
[ERROR]     * [CVE-2020-11987] Apache Batik 1.13 is vulnerable to server-side request forgery, caused by improp... (5.3); https://ossindex.sonatype.org/vulnerability/3be652e4-f000-4fad-9fdb-1a0bda304afe?component-type=maven&component-name=org.apache.xmlgraphics.batik-transcoder&utm_source=ossindex-client&utm_medium=integration&utm_content=1.1.1
[ERROR]   org.apache.xmlgraphics:batik-dom:jar:1.13:compile; https://ossindex.sonatype.org/component/pkg:maven/org.apache.xmlgraphics/batik-dom@1.13?utm_source=ossindex-client&utm_medium=integration&utm_content=1.1.1
[ERROR]     * [CVE-2020-11987] Apache Batik 1.13 is vulnerable to server-side request forgery, caused by improp... (5.3); https://ossindex.sonatype.org/vulnerability/3be652e4-f000-4fad-9fdb-1a0bda304afe?component-type=maven&component-name=org.apache.xmlgraphics.batik-dom&utm_source=ossindex-client&utm_medium=integration&utm_content=1.1.1

I'm not really sure what it impacts but it's the kind of thing that should be looked into IMO.

Comment 1 PJ Fanning 2021-06-04 10:52:44 UTC
Next POI release will use batik 1.14.

You can change your project to use batik 1.14 - it should work with POI 5.0.0.
Comment 2 PJ Fanning 2021-07-01 15:05:09 UTC
*** Bug 65421 has been marked as a duplicate of this bug. ***