CVE-2019-17566

CWE-918Server-Side Request Forgery (SSRF)CWE-352Cross-Site Request Forgery (CSRF)CWE-20Improper Input Validation15 documents9 sources
Severity
7.5HIGH
EPSS
0.8%
top 25.71%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
18
Apache BatikOracle JD Edwards Enterpriseone ToolsOracle Communications Metasolv Solution+15 more
Timeline
PublishedNov 12
Latest updateMay 30

Description

Apache Batik is vulnerable to server-side request forgery, caused by improper input validation by the "xlink:href" attributes. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages22 packages

NVDapache/batik< 1.13
CVEListV5apache_batikApache Batik 1.12 and older
Debianbatik< 1.12-1.1+3
Ubuntubatik< 1.10-2~18.04.1+4

Patches

Patch: www.oracle.comPatch: www.oracle.comPatch: www.oracle.com

🔴Vulnerability Details

5
OSV
batik vulnerabilities2023-05-30
OSV
Server-side request forgery (SSRF) in Apache Batik2022-02-09
GHSA
Server-side request forgery (SSRF) in Apache Batik2022-02-09
CVEList
CVE-2019-17566: Apache Batik is vulnerable to server-side request forgery, caused by improper input validation by the "xlink:href" attributes2020-11-12
OSV
CVE-2019-17566: Apache Batik is vulnerable to server-side request forgery, caused by improper input validation by the "xlink:href" attributes2020-11-12

📋Vendor Advisories

7
Ubuntu
Apache Batik vulnerabilities2023-05-30
Oracle
Oracle Oracle Fusion Middleware Risk Matrix: Analytics Web Answers (Apache Batik) — CVE-2019-175662022-01-15
Oracle
Oracle Oracle Communications Applications Risk Matrix: CN OCOMC (Apache Batik) — CVE-2019-175662021-07-15
Oracle
Oracle Oracle Financial Services Applications Risk Matrix: Rate Management (Apache Batik) — CVE-2019-175662021-04-15
Oracle
Oracle Oracle Communications Applications Risk Matrix: Print Preview (Apache Batik) — CVE-2019-175662021-01-15

💬Community

2
Bugzilla
CVE-2019-17566 batik: SSRF via "xlink:href"2020-06-18
Bugzilla
CVE-2019-17566 batik: SSRF via "xlink:href" [fedora-all]2020-06-18
CVE-2019-17566 (HIGH CVSS 7.5) | Apache Batik is vulnerable to serve | cvebase.io