CVE-2020-11987
published 2021-02-24CVE-2020-11987: Apache Batik 1.13 is vulnerable to server-side request forgery, caused by improper input validation by the NodePickerPanel. By using a specially-crafted…
high8.2CVSS 3.1
AVNACLPRNUINSUCHILAN
Apache Batik 1.13 is vulnerable to server-side request forgery, caused by improper input validation by the NodePickerPanel. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests.
Affected
47 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | batik | <= 1.13 | — |
| apache | batik | >= 0 < 1.12-4+deb11u3 | 1.12-4+deb11u3 |
| apache | batik | >= 0 < 1.14-1 | 1.14-1 |
| apache | batik | >= 0 < 1.14-1 | 1.14-1 |
| apache | batik | >= 0 < 1.14-1 | 1.14-1 |
| apache | batik | >= 0 < 1.10-2~18.04.1 | 1.10-2~18.04.1 |
| apache | batik | >= 0 < 1.12-1ubuntu0.1 | 1.12-1ubuntu0.1 |
| apache | batik | >= 0 < 1.14-1ubuntu0.2 | 1.14-1ubuntu0.2 |
| apache | batik | >= 0 < 1.7.ubuntu-8ubuntu2.14.04.3+esm1 | 1.7.ubuntu-8ubuntu2.14.04.3+esm1 |
| apache | batik | >= 0 < 1.8-3ubuntu1+esm1 | 1.8-3ubuntu1+esm1 |
| debian | batik | < batik 1.14-1 (bookworm) | batik 1.14-1 (bookworm) |
| debian | debian_linux | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| oracle | agile_engineering_data_management | — | — |
| oracle | banking_apis | — | — |
| oracle | banking_apis | — | — |
| oracle | banking_apis | — | — |
| oracle | banking_apis | — | — |
| oracle | banking_apis | — | — |
| oracle | banking_digital_experience | — | — |
| oracle | banking_digital_experience | — | — |
| oracle | banking_digital_experience | — | — |
| oracle | banking_digital_experience | — | — |
| oracle | banking_digital_experience | — | — |
CVSS provenance
nvdv3.18.2HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
osv8.2HIGH