CVE-2019-17566

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2019-17566
Apache Batik is vulnerable to server-side request forgery, caused by improper input validation by the "xlink:href" attributes. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests.

7.5 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

5.0 /10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:N/C:N/I:P/A:N

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References
Link Resource
https://lists.apache.org/thread.html/rab94fe68b180d2e2fba97abf6fe1ec83cff826be25f86cd90f047171%40%3Ccommits.myfaces.apache.org%3E
https://lists.apache.org/thread.html/rcab14a9ec91aa4c151e0729966282920423eff50a22759fd21db6509%40%3Ccommits.myfaces.apache.org%3E
https://security.gentoo.org/glsa/202401-11
https://www.oracle.com//security-alerts/cpujul2021.html Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpuApr2021.html Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2021.html Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.html Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.html Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html Patch Third Party Advisory
https://xmlgraphics.apache.org/security.html Vendor Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:apache:batik:*:*:*:*:*:*:*:*

Configuration 2 (hide)

OR cpe:2.3:a:oracle:api_gateway:11.1.2.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:business_intelligence:5.5.0.0.0:*:*:*:enterprise:*:*:*
cpe:2.3:a:oracle:business_intelligence:5.9.0.0.0:*:*:*:enterprise:*:*:*
cpe:2.3:a:oracle:business_intelligence:12.2.1.3.0:*:*:*:enterprise:*:*:*
cpe:2.3:a:oracle:business_intelligence:12.2.1.4.0:*:*:*:enterprise:*:*:*
cpe:2.3:a:oracle:communications_application_session_controller:3.9m0p2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_metasolv_solution:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_offline_mediation_controller:12.0.0.3.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:enterprise_repository:11.1.1.7.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:fusion_middleware_mapviewer:12.2.1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:hospitality_opera_5:5.5:*:*:*:*:*:*:*
cpe:2.3:a:oracle:hospitality_opera_5:5.6:*:*:*:*:*:*:*
cpe:2.3:a:oracle:hyperion_financial_reporting:11.1.2.4:*:*:*:*:*:*:*
cpe:2.3:a:oracle:hyperion_financial_reporting:11.2.5.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:instantis_enterprisetrack:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2.4.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_integration_bus:15.0.3:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_order_broker:15.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_order_broker:16.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_order_management_system_cloud_service:19.5:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_point-of-service:14.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_returns_management:14.1:*:*:*:*:*:*:*
History

25 Jul 2022, 18:15

Type Values Removed Values Added
References
  • (N/A) https://www.oracle.com/security-alerts/cpujul2022.html -

05 Apr 2022, 20:25

Type Values Removed Values Added
CWE CWE-20
CPE cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:business_intelligence:5.5.0.0.0:*:*:*:enterprise:*:*:*
cpe:2.3:a:oracle:communications_application_session_controller:3.9m0p2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:enterprise_repository:11.1.1.7.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:instantis_enterprisetrack:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:hospitality_opera_5:5.5:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_metasolv_solution:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:api_gateway:11.1.2.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_order_management_system_cloud_service:19.5:*:*:*:*:*:*:*
cpe:2.3:a:oracle:business_intelligence:5.9.0.0.0:*:*:*:enterprise:*:*:*
cpe:2.3:a:oracle:business_intelligence:12.2.1.3.0:*:*:*:enterprise:*:*:*
cpe:2.3:a:oracle:fusion_middleware_mapviewer:12.2.1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_offline_mediation_controller:12.0.0.3.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_returns_management:14.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_order_broker:15.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_point-of-service:14.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_order_broker:16.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_integration_bus:15.0.3:*:*:*:*:*:*:*
cpe:2.3:a:oracle:hyperion_financial_reporting:11.1.2.4:*:*:*:*:*:*:*
cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2.4.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:hospitality_opera_5:5.6:*:*:*:*:*:*:*
cpe:2.3:a:oracle:hyperion_financial_reporting:11.2.5.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:business_intelligence:12.2.1.4.0:*:*:*:enterprise:*:*:*
References (MLIST) https://lists.apache.org/thread.html/rcab14a9ec91aa4c151e0729966282920423eff50a22759fd21db6509@%3Ccommits.myfaces.apache.org%3E - (MLIST) https://lists.apache.org/thread.html/rcab14a9ec91aa4c151e0729966282920423eff50a22759fd21db6509@%3Ccommits.myfaces.apache.org%3E - Mailing List, Patch, Vendor Advisory
References (MISC) https://www.oracle.com/security-alerts/cpuApr2021.html - (MISC) https://www.oracle.com/security-alerts/cpuApr2021.html - Patch, Third Party Advisory
References (MLIST) https://lists.apache.org/thread.html/rab94fe68b180d2e2fba97abf6fe1ec83cff826be25f86cd90f047171@%3Ccommits.myfaces.apache.org%3E - (MLIST) https://lists.apache.org/thread.html/rab94fe68b180d2e2fba97abf6fe1ec83cff826be25f86cd90f047171@%3Ccommits.myfaces.apache.org%3E - Mailing List, Patch, Vendor Advisory
References (MISC) https://www.oracle.com/security-alerts/cpujan2022.html - (MISC) https://www.oracle.com/security-alerts/cpujan2022.html - Patch, Third Party Advisory
References (N/A) https://www.oracle.com//security-alerts/cpujul2021.html - (N/A) https://www.oracle.com//security-alerts/cpujul2021.html - Patch, Third Party Advisory
References (MISC) https://www.oracle.com/security-alerts/cpuoct2021.html - (MISC) https://www.oracle.com/security-alerts/cpuoct2021.html - Patch, Third Party Advisory
References (MISC) https://www.oracle.com/security-alerts/cpujan2021.html - (MISC) https://www.oracle.com/security-alerts/cpujan2021.html - Patch, Third Party Advisory

07 Feb 2022, 16:15

Type Values Removed Values Added
References
  • (MISC) https://www.oracle.com/security-alerts/cpujan2022.html -

20 Oct 2021, 11:15

Type Values Removed Values Added
References
  • (N/A) https://www.oracle.com//security-alerts/cpujul2021.html -
  • (MISC) https://www.oracle.com/security-alerts/cpuoct2021.html -
CWE CWE-20

14 Jun 2021, 18:15

Type Values Removed Values Added
References
  • (MISC) https://www.oracle.com/security-alerts/cpuApr2021.html -
Information

Published : 2020-11-12 18:15

Updated : 2024-02-04 21:23

NVD link : CVE-2019-17566

Mitre link : CVE-2019-17566

CVE.ORG link : CVE-2019-17566

JSON object : View

Products Affected

oracle

  • instantis_enterprisetrack
  • financial_services_analytical_applications_infrastructure
  • hyperion_financial_reporting
  • communications_application_session_controller
  • business_intelligence
  • hospitality_opera_5
  • retail_point-of-service
  • communications_metasolv_solution
  • fusion_middleware_mapviewer
  • communications_offline_mediation_controller
  • api_gateway
  • retail_integration_bus
  • retail_returns_management
  • retail_order_management_system_cloud_service
  • jd_edwards_enterpriseone_tools
  • enterprise_repository
  • retail_order_broker

apache

  • batik
CWE
CWE-918

Server-Side Request Forgery (SSRF)