https://bugzilla.redhat.com/show_bug.cgi?id=1933808
--- Comment #6 from Todd Cullum tcullum@redhat.com --- Flaw summary:
NodePickerPanel in batik was configured to load XML external Document Type Definitions (DTDs) and XML external entities. This allowed for crafted input to result in server-side request forgery, allowing an attacker to make arbitrary GET requests from the server. The patch disables external-general-entities, external-parameter-entities, and load-external-dtd in NodePickerPanel to prevent this.