[
https://issues.apache.org/jira/browse/XGC-149?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Joshua Marquart updated XGC-149:
--------------------------------
Description:
According to the National Vulnerability Database CVE-2026-24806, CVE-2026-24807
applies to batik-codec
https://nvd.nist.gov/vuln/detail/CVE-2026-24806
https://nvd.nist.gov/vuln/detail/CVE-2026-24807
https://www.sentinelone.com/vulnerability-database/cve-2026-24806/
This was identified in the quick-media fork of batik-codec and was due to Input
validation missing from the `public void write(byte[] b, int off, int len)
throws IOException` methods of
`org.apache.batik.ext.awt.image.codec.png.PNGImageEncoder.java` at line 91 and
`org.apache.batik.ext.awt.image.codec.util.SeekableOutputStream.java` at line
61
```
// Input validation
if (b == null) {
throw new NullPointerException();
}
if (off < 0 || len < 0 || len > b.length || off > b.length - len) {
throw new ArrayIndexOutOfBoundsException();
}
```
Similar input validation does not exist in the apache batik-codec 1.19 source
download.
This is causing components to be flagged with Medium vulnerability in Sonatype
Lifecycle.
was:
This is not a bug in XMLGraphics or Batik; this issue is opened for
notification / tracking purposes.
According to the National Vulnerability Database (NVD) and downstream advisory
databases, CVE-2026-24806 applies to
Vendor: liuyueyi
Project: quick-media
Affected module: batik-codec-fix
Affected file: PNGImageEncoder.java
Vulnerability type: CWE‑94 — Improper Control of Code Generation
It does not apply to the following artifacts:
org.apache.xmlgraphics:batik-codec:1.19
org.apache.xmlgraphics:xmlgraphics-commons:2.11
However, note that Sonatype Lifecycle scans are currently false-flagging the
above artifacts as vulnerable.
All 3 artifacts contain
org.apache.batik.ext.awt.image.codec.png.PNGImageEncoder at different levels;
Quick-Media forked batik-codec-fix from batik several versions ago. This is a
fork attribution issue, not an Apache Batik defect.
Sonatype Uses Heuristic Class Matching; it identifies risk using:
1 Bytecode similarity
2 Class and package name matching
3 Historical association
This approach intentionally over‑flags components when a vulnerable class name
appears, even if:
1 The CVE vendor does not match
2 The upstream implementation differs
3 The vulnerable behavior is absent
This explains why batik-codec:1.19 and xmlgraphics-commons:2.11 are flagged,
despite not being listed as affected by any CVE authority.
Sonatype vendor has been notified.
Casual suggestion for teams facing this issue:
Apply a policy waiver / suppression for:
org.apache.xmlgraphics:batik-codec:1.19
org.apache.xmlgraphics:xmlgraphics-commons:2.11
Justification:
CVE applies exclusively to the Quick‑Media fork (batik-codec-fix).
Apache Batik and XML Graphics artifacts are not listed as affected by NVD,
CVE.org, GitHub Advisories, or SentinelOne.
No vulnerable code path exists in the official Apache releases.
Issue Type: Bug (was: Improvement)
> Apache Batik and XML Graphics falsely implicated by CVE-2026-24806
> ------------------------------------------------------------------
>
> Key: XGC-149
> URL: https://issues.apache.org/jira/browse/XGC-149
> Project: XMLGraphicsCommons
> Issue Type: Bug
> Components: image writer
> Affects Versions: 2.11
> Reporter: Joshua Marquart
> Priority: Trivial
>
> According to the National Vulnerability Database CVE-2026-24806,
> CVE-2026-24807 applies to batik-codec
> https://nvd.nist.gov/vuln/detail/CVE-2026-24806
> https://nvd.nist.gov/vuln/detail/CVE-2026-24807
> https://www.sentinelone.com/vulnerability-database/cve-2026-24806/
> This was identified in the quick-media fork of batik-codec and was due to
> Input validation missing from the `public void write(byte[] b, int off, int
> len) throws IOException` methods of
> `org.apache.batik.ext.awt.image.codec.png.PNGImageEncoder.java` at line 91
> and `org.apache.batik.ext.awt.image.codec.util.SeekableOutputStream.java` at
> line 61
> ```
> // Input validation
> if (b == null) {
> throw new NullPointerException();
> }
>
> if (off < 0 || len < 0 || len > b.length || off > b.length - len) {
> throw new ArrayIndexOutOfBoundsException();
> }
> ```
> Similar input validation does not exist in the apache batik-codec 1.19 source
> download.
> This is causing components to be flagged with Medium vulnerability in
> Sonatype Lifecycle.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
