CVE-2020-11987Improper Input Validation in Apache Batik

CWE-20Improper Input ValidationCWE-918Server-Side Request Forgery17 documents8 sources
Severity
8.2HIGHNVD
OSV7.5
EPSS
1.4%
top 19.83%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
23
Apache BatikOracle Flexcube Universal BankingOracle Insurance Policy Administration+20 more
Timeline
PublishedFeb 24
Latest updateMay 30

Description

Apache Batik 1.13 is vulnerable to server-side request forgery, caused by improper input validation by the NodePickerPanel. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:NExploitability: 3.9 | Impact: 4.2

Affected Packages23 packages

Debianapache/batik< 1.12-4+deb11u3+3
Ubuntuapache/batik< 1.10-2~18.04.1+4
NVDapache/batik1.13
NVDoracle/weblogic_server12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0+2
CVEListV5apache_software_foundation/apache_batikApache Batik 1.13

Also affects: Debian Linux 10.0, Fedora 33, 34

Patches

Patch: www.oracle.comPatch: www.oracle.comPatch: www.oracle.com

🔴Vulnerability Details

5
OSV
batik vulnerabilities2023-05-30
GHSA
Server-side request forgery (SSRF) in Apache Batik2022-01-06
OSV
Server-side request forgery (SSRF) in Apache Batik2022-01-06
CVEList
CVE-2020-11987: Apache Batik 12021-02-24
OSV
CVE-2020-11987: Apache Batik 12021-02-24

📋Vendor Advisories

11
Ubuntu
Apache Batik vulnerabilities2023-05-30
Oracle
Oracle Oracle Insurance Applications Risk Matrix: Logger (Apache Batik) — CVE-2020-119872023-04-15
Oracle
Oracle Oracle Fusion Middleware Risk Matrix: Third Party Patch (Apache Batik) — CVE-2020-119872023-01-15
Oracle
Oracle Oracle Communications Data Model Risk Matrix: Utilities (Apache Batik) — CVE-2020-119872022-10-15
Oracle
Oracle Oracle Fusion Middleware Risk Matrix: Centralized Third Party Jars (Apache Batik) — CVE-2020-119872022-07-15
CVE-2020-11987 — Improper Input Validation in Apache | cvebase