CVE-2020-11987

Apache Batik 1.13 is vulnerable to server-side request forgery, caused by improper input validation by the NodePickerPanel. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests.

CVSS v3 8.2 HIGH
CVSS v2.0 6.4 MEDIUM

8.2^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 4.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

6.4^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:N/C:P/I:P/A:N

Exploitability : 10.0 / Impact : 4.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
https://lists.apache.org/thread.html/r2877ae10e8be56a3c52d03e373512ddd32f16b863f24c2e22f5a5ba2%40%3Cdev.poi.apache.org%3E	Mailing List Vendor Advisory
https://lists.apache.org/thread.html/r588d05a0790b40a0eb81088252e1e8c1efb99706631421f17038eb05%40%3Cdev.poi.apache.org%3E	Mailing List Vendor Advisory
https://lists.debian.org/debian-lts-announce/2023/10/msg00021.html	Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JEDID4DAVPECE6O4QQCSIS75BLLBUUAM/	Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W7EAYO5XIHD6OIEA3HPK64UDDBSLNAC5/	Mailing List Third Party Advisory
https://security.gentoo.org/glsa/202401-11	Third Party Advisory
https://www.oracle.com//security-alerts/cpujul2021.html	Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpuApr2021.html	Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.html	Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.html	Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html	Patch Third Party Advisory
https://xmlgraphics.apache.org/security.html	Release Notes Vendor Advisory
https://lists.apache.org/thread.html/r2877ae10e8be56a3c52d03e373512ddd32f16b863f24c2e22f5a5ba2%40%3Cdev.poi.apache.org%3E	Mailing List Vendor Advisory
https://lists.apache.org/thread.html/r588d05a0790b40a0eb81088252e1e8c1efb99706631421f17038eb05%40%3Cdev.poi.apache.org%3E	Mailing List Vendor Advisory
https://lists.debian.org/debian-lts-announce/2023/10/msg00021.html	Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JEDID4DAVPECE6O4QQCSIS75BLLBUUAM/	Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W7EAYO5XIHD6OIEA3HPK64UDDBSLNAC5/	Mailing List Third Party Advisory
https://security.gentoo.org/glsa/202401-11	Third Party Advisory
https://www.oracle.com//security-alerts/cpujul2021.html	Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpuApr2021.html	Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.html	Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.html	Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html	Patch Third Party Advisory
https://xmlgraphics.apache.org/security.html	Release Notes Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:apache:batik:*:*:*:*:*:*:*:*

Configuration 2 (hide)

OR	cpe:2.3:o:fedoraproject:fedora:33:::::::*
	cpe:2.3:o:fedoraproject:fedora:34:::::::*

Configuration 3 (hide)

OR	cpe:2.3:a:oracle:agile_engineering_data_management:6.2.1.0:::::::*
	cpe:2.3:a:oracle:banking_apis:18.3:::::::*
	cpe:2.3:a:oracle:banking_apis:19.1:::::::*
	cpe:2.3:a:oracle:banking_apis:19.2:::::::*
	cpe:2.3:a:oracle:banking_apis:20.1:::::::*
	cpe:2.3:a:oracle:banking_apis:21.1:::::::*
	cpe:2.3:a:oracle:banking_digital_experience:18.3:::::::*
	cpe:2.3:a:oracle:banking_digital_experience:19.1:::::::*
	cpe:2.3:a:oracle:banking_digital_experience:19.2:::::::*
	cpe:2.3:a:oracle:banking_digital_experience:20.1:::::::*
	cpe:2.3:a:oracle:banking_digital_experience:21.1:::::::*
	cpe:2.3:a:oracle:communications_application_session_controller:3.9m0p3:::::::*
	cpe:2.3:a:oracle:communications_metasolv_solution:6.3.0:::::::*
	cpe:2.3:a:oracle:communications_metasolv_solution:6.3.1:::::::*
	cpe:2.3:a:oracle:communications_offline_mediation_controller:12.0.0.3.0:::::::*
	cpe:2.3:a:oracle:enterprise_repository:11.1.1.7.0:::::::*
	cpe:2.3:a:oracle:flexcube_universal_banking::::::::
	cpe:2.3:a:oracle:fusion_middleware_mapviewer:12.2.1.4.0:::::::*
	cpe:2.3:a:oracle:instantis_enterprisetrack:17.1:::::::*
	cpe:2.3:a:oracle:instantis_enterprisetrack:17.2:::::::*
	cpe:2.3:a:oracle:instantis_enterprisetrack:17.3:::::::*
	cpe:2.3:a:oracle:insurance_policy_administration::::::::
	cpe:2.3:a:oracle:product_lifecycle_analytics:3.6.1:::::::*
	cpe:2.3:a:oracle:retail_back_office:14.1:::::::*
	cpe:2.3:a:oracle:retail_central_office:14.1:::::::*
	cpe:2.3:a:oracle:retail_order_broker:15.0:::::::*
	cpe:2.3:a:oracle:retail_order_broker:16.0:::::::*
	cpe:2.3:a:oracle:retail_order_management_system_cloud_service:19.5:::::::*
	cpe:2.3:a:oracle:retail_point-of-service:14.1:::::::*
	cpe:2.3:a:oracle:retail_returns_management:14.1:::::::*
	cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:::::::*
	cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:::::::*
	cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:::::::*

Configuration 4 (hide)

cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

History

21 Nov 2024, 04:59

Type	Values Removed	Values Added
References	~~() https://lists.apache.org/thread.html/r2877ae10e8be56a3c52d03e373512ddd32f16b863f24c2e22f5a5ba2%40%3Cdev.poi.apache.org%3E - Mailing List, Vendor Advisory~~	() https://lists.apache.org/thread.html/r2877ae10e8be56a3c52d03e373512ddd32f16b863f24c2e22f5a5ba2%40%3Cdev.poi.apache.org%3E - Mailing List, Vendor Advisory
References	~~() https://lists.apache.org/thread.html/r588d05a0790b40a0eb81088252e1e8c1efb99706631421f17038eb05%40%3Cdev.poi.apache.org%3E - Mailing List, Vendor Advisory~~	() https://lists.apache.org/thread.html/r588d05a0790b40a0eb81088252e1e8c1efb99706631421f17038eb05%40%3Cdev.poi.apache.org%3E - Mailing List, Vendor Advisory
References	~~() https://lists.debian.org/debian-lts-announce/2023/10/msg00021.html - Mailing List, Third Party Advisory~~	() https://lists.debian.org/debian-lts-announce/2023/10/msg00021.html - Mailing List, Third Party Advisory
References	~~() https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JEDID4DAVPECE6O4QQCSIS75BLLBUUAM/ - Mailing List, Third Party Advisory~~	() https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JEDID4DAVPECE6O4QQCSIS75BLLBUUAM/ - Mailing List, Third Party Advisory
References	~~() https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W7EAYO5XIHD6OIEA3HPK64UDDBSLNAC5/ - Mailing List, Third Party Advisory~~	() https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W7EAYO5XIHD6OIEA3HPK64UDDBSLNAC5/ - Mailing List, Third Party Advisory
References	~~() https://security.gentoo.org/glsa/202401-11 - Third Party Advisory~~	() https://security.gentoo.org/glsa/202401-11 - Third Party Advisory
References	~~() https://www.oracle.com//security-alerts/cpujul2021.html - Patch, Third Party Advisory~~	() https://www.oracle.com//security-alerts/cpujul2021.html - Patch, Third Party Advisory
References	~~() https://www.oracle.com/security-alerts/cpuApr2021.html - Patch, Third Party Advisory~~	() https://www.oracle.com/security-alerts/cpuApr2021.html - Patch, Third Party Advisory
References	~~() https://www.oracle.com/security-alerts/cpujan2022.html - Patch, Third Party Advisory~~	() https://www.oracle.com/security-alerts/cpujan2022.html - Patch, Third Party Advisory
References	~~() https://www.oracle.com/security-alerts/cpujul2022.html - Patch, Third Party Advisory~~	() https://www.oracle.com/security-alerts/cpujul2022.html - Patch, Third Party Advisory
References	~~() https://www.oracle.com/security-alerts/cpuoct2021.html - Patch, Third Party Advisory~~	() https://www.oracle.com/security-alerts/cpuoct2021.html - Patch, Third Party Advisory
References	~~() https://xmlgraphics.apache.org/security.html - Release Notes, Vendor Advisory~~	() https://xmlgraphics.apache.org/security.html - Release Notes, Vendor Advisory

01 Feb 2024, 01:24

Type	Values Removed	Values Added
CPE		cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:::::::* cpe:2.3:a:oracle:product_lifecycle_analytics:3.6.1:::::::* cpe:2.3:o:debian:debian_linux:10.0:::::::* cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:::::::* cpe:2.3:a:oracle:agile_engineering_data_management:6.2.1.0:::::::* cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:::::::*
References	{'url': 'https://lists.apache.org/thread.html/r2877ae10e8be56a3c52d03e373512ddd32f16b863f24c2e22f5a5ba2@%3Cdev.poi.apache.org%3E', 'name': '[poi-dev] 20210308 [Bug 65166] Apache Batik 1.13 vulnerabilities (CVE-2020-11987, CVE-2020-11988)', 'tags': ['Mailing List', 'Vendor Advisory'], 'refsource': 'MLIST'} {'url': 'https://lists.apache.org/thread.html/r588d05a0790b40a0eb81088252e1e8c1efb99706631421f17038eb05@%3Cdev.poi.apache.org%3E', 'name': '[poi-dev] 20210304 [Bug 65166] New: Apache Batik 1.13 vulnerabilities (CVE-2020-11987, CVE-2020-11988)', 'tags': ['Mailing List', 'Vendor Advisory'], 'refsource': 'MLIST'} {'url': 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W7EAYO5XIHD6OIEA3HPK64UDDBSLNAC5/', 'name': 'FEDORA-2021-65ff5f10e2', 'tags': ['Mailing List', 'Third Party Advisory'], 'refsource': 'FEDORA'} {'url': 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JEDID4DAVPECE6O4QQCSIS75BLLBUUAM/', 'name': 'FEDORA-2021-33a1b73e48', 'tags': ['Mailing List', 'Third Party Advisory'], 'refsource': 'FEDORA'}	() https://security.gentoo.org/glsa/202401-11 - Third Party Advisory (MLIST) https://lists.debian.org/debian-lts-announce/2023/10/msg00021.html - Mailing List, Third Party Advisory () https://lists.apache.org/thread.html/r2877ae10e8be56a3c52d03e373512ddd32f16b863f24c2e22f5a5ba2%40%3Cdev.poi.apache.org%3E - Mailing List, Vendor Advisory () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W7EAYO5XIHD6OIEA3HPK64UDDBSLNAC5/ - Mailing List, Third Party Advisory () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JEDID4DAVPECE6O4QQCSIS75BLLBUUAM/ - Mailing List, Third Party Advisory () https://lists.apache.org/thread.html/r588d05a0790b40a0eb81088252e1e8c1efb99706631421f17038eb05%40%3Cdev.poi.apache.org%3E - Mailing List, Vendor Advisory
References	~~(N/A) https://www.oracle.com/security-alerts/cpujul2022.html -~~	(N/A) https://www.oracle.com/security-alerts/cpujul2022.html - Patch, Third Party Advisory

25 Jul 2022, 18:15

Type	Values Removed	Values Added
References		(N/A) https://www.oracle.com/security-alerts/cpujul2022.html -

04 Apr 2022, 13:32

Type	Values Removed	Values Added
References	~~(MISC) https://www.oracle.com/security-alerts/cpujan2022.html -~~	(MISC) https://www.oracle.com/security-alerts/cpujan2022.html - Patch, Third Party Advisory
CPE		cpe:2.3:a:oracle:banking_digital_experience:19.1:::::::* cpe:2.3:a:oracle:banking_digital_experience:18.3:::::::* cpe:2.3:a:oracle:banking_apis:19.2:::::::* cpe:2.3:a:oracle:banking_digital_experience:21.1:::::::* cpe:2.3:a:oracle:banking_apis:21.1:::::::* cpe:2.3:a:oracle:banking_apis:20.1:::::::* cpe:2.3:a:oracle:banking_apis:18.3:::::::* cpe:2.3:a:oracle:banking_digital_experience:20.1:::::::* cpe:2.3:a:oracle:banking_digital_experience:19.2:::::::* cpe:2.3:a:oracle:banking_apis:19.1:::::::*

07 Feb 2022, 16:15

Type	Values Removed	Values Added
References		(MISC) https://www.oracle.com/security-alerts/cpujan2022.html -

22 Dec 2021, 21:08

Type	Values Removed	Values Added
CPE	cpe:2.3:a:oracle:retail_central_officeretail_back_office:14.1:::::::*	cpe:2.3:a:oracle:retail_central_office:14.1:::::::*

10 Dec 2021, 18:13

Type	Values Removed	Values Added
References	~~(MISC) https://www.oracle.com/security-alerts/cpuApr2021.html -~~	(MISC) https://www.oracle.com/security-alerts/cpuApr2021.html - Patch, Third Party Advisory
References	~~(N/A) https://www.oracle.com//security-alerts/cpujul2021.html -~~	(N/A) https://www.oracle.com//security-alerts/cpujul2021.html - Patch, Third Party Advisory
References	~~(MISC) https://www.oracle.com/security-alerts/cpuoct2021.html -~~	(MISC) https://www.oracle.com/security-alerts/cpuoct2021.html - Patch, Third Party Advisory
CPE		cpe:2.3:a:oracle:instantis_enterprisetrack:17.3:::::::* cpe:2.3:a:oracle:fusion_middleware_mapviewer:12.2.1.4.0:::::::* cpe:2.3:a:oracle:retail_central_officeretail_back_office:14.1:::::::* cpe:2.3:a:oracle:insurance_policy_administration:::::::: cpe:2.3:a:oracle:communications_application_session_controller:3.9m0p3:::::::* cpe:2.3:a:oracle:instantis_enterprisetrack:17.2:::::::* cpe:2.3:a:oracle:retail_returns_management:14.1:::::::* cpe:2.3:a:oracle:communications_metasolv_solution:6.3.0:::::::* cpe:2.3:a:oracle:retail_order_broker:16.0:::::::* cpe:2.3:a:oracle:communications_offline_mediation_controller:12.0.0.3.0:::::::* cpe:2.3:a:oracle:flexcube_universal_banking:::::::: cpe:2.3:a:oracle:retail_order_management_system_cloud_service:19.5:::::::* cpe:2.3:a:oracle:retail_point-of-service:14.1:::::::* cpe:2.3:a:oracle:retail_order_broker:15.0:::::::* cpe:2.3:a:oracle:instantis_enterprisetrack:17.1:::::::* cpe:2.3:a:oracle:communications_metasolv_solution:6.3.1:::::::* cpe:2.3:a:oracle:retail_back_office:14.1:::::::* cpe:2.3:a:oracle:enterprise_repository:11.1.1.7.0:::::::*

20 Oct 2021, 11:15

Type	Values Removed	Values Added
CWE		CWE-20
References		(N/A) https://www.oracle.com//security-alerts/cpujul2021.html - (MISC) https://www.oracle.com/security-alerts/cpuoct2021.html -

14 Jun 2021, 18:15

Type	Values Removed	Values Added
References		(MISC) https://www.oracle.com/security-alerts/cpuApr2021.html -

Information

Published : 2021-02-24 18:15

Updated : 2024-11-21 04:59

NVD link : CVE-2020-11987

Mitre link : CVE-2020-11987

CVE.ORG link : CVE-2020-11987

JSON object : View

Products Affected

apache

batik

oracle

enterprise_repository
weblogic_server
communications_application_session_controller
retail_returns_management
communications_metasolv_solution
banking_apis
retail_order_management_system_cloud_service
retail_central_office
retail_point-of-service
retail_order_broker
communications_offline_mediation_controller
instantis_enterprisetrack
insurance_policy_administration
agile_engineering_data_management
fusion_middleware_mapviewer
banking_digital_experience
product_lifecycle_analytics
flexcube_universal_banking
retail_back_office

debian

debian_linux

fedoraproject

fedora

CWE

CWE-20

Improper Input Validation

CWE-918

Server-Side Request Forgery (SSRF)

{"id": "CVE-2020-11987", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.4, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 4.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 4.2, "exploitabilityScore": 3.9}]}, "published": "2021-02-24T18:15:11.093", "references": [{"url": "https://lists.apache.org/thread.html/r2877ae10e8be56a3c52d03e373512ddd32f16b863f24c2e22f5a5ba2%40%3Cdev.poi.apache.org%3E", "tags": ["Mailing List", "Vendor Advisory"], "source": "security@apache.org"}, {"url": "https://lists.apache.org/thread.html/r588d05a0790b40a0eb81088252e1e8c1efb99706631421f17038eb05%40%3Cdev.poi.apache.org%3E", "tags": ["Mailing List", "Vendor Advisory"], "source": "security@apache.org"}, {"url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00021.html", "tags": ["Mailing List", "Third Party Advisory"], "source": "security@apache.org"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JEDID4DAVPECE6O4QQCSIS75BLLBUUAM/", "tags": ["Mailing List", "Third Party Advisory"], "source": "security@apache.org"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W7EAYO5XIHD6OIEA3HPK64UDDBSLNAC5/", "tags": ["Mailing List", "Third Party Advisory"], "source": "security@apache.org"}, {"url": "https://security.gentoo.org/glsa/202401-11", "tags": ["Third Party Advisory"], "source": "security@apache.org"}, {"url": "https://www.oracle.com//security-alerts/cpujul2021.html", "tags": ["Patch", "Third Party Advisory"], "source": "security@apache.org"}, {"url": "https://www.oracle.com/security-alerts/cpuApr2021.html", "tags": ["Patch", "Third Party Advisory"], "source": "security@apache.org"}, {"url": "https://www.oracle.com/security-alerts/cpujan2022.html", "tags": ["Patch", "Third Party Advisory"], "source": "security@apache.org"}, {"url": "https://www.oracle.com/security-alerts/cpujul2022.html", "tags": ["Patch", "Third Party Advisory"], "source": "security@apache.org"}, {"url": "https://www.oracle.com/security-alerts/cpuoct2021.html", "tags": ["Patch", "Third Party Advisory"], "source": "security@apache.org"}, {"url": "https://xmlgraphics.apache.org/security.html", "tags": ["Release Notes", "Vendor Advisory"], "source": "security@apache.org"}, {"url": "https://lists.apache.org/thread.html/r2877ae10e8be56a3c52d03e373512ddd32f16b863f24c2e22f5a5ba2%40%3Cdev.poi.apache.org%3E", "tags": ["Mailing List", "Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://lists.apache.org/thread.html/r588d05a0790b40a0eb81088252e1e8c1efb99706631421f17038eb05%40%3Cdev.poi.apache.org%3E", "tags": ["Mailing List", "Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00021.html", "tags": ["Mailing List", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JEDID4DAVPECE6O4QQCSIS75BLLBUUAM/", "tags": ["Mailing List", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W7EAYO5XIHD6OIEA3HPK64UDDBSLNAC5/", "tags": ["Mailing List", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://security.gentoo.org/glsa/202401-11", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.oracle.com//security-alerts/cpujul2021.html", "tags": ["Patch", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.oracle.com/security-alerts/cpuApr2021.html", "tags": ["Patch", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.oracle.com/security-alerts/cpujan2022.html", "tags": ["Patch", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.oracle.com/security-alerts/cpujul2022.html", "tags": ["Patch", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.oracle.com/security-alerts/cpuoct2021.html", "tags": ["Patch", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://xmlgraphics.apache.org/security.html", "tags": ["Release Notes", "Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-918"}]}], "descriptions": [{"lang": "en", "value": "Apache Batik 1.13 is vulnerable to server-side request forgery, caused by improper input validation by the NodePickerPanel. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests."}, {"lang": "es", "value": "Apache Batik versi\u00f3n 1.13 es vulnerable a un ataque de tipo server-side request forgery, causada por una comprobaci\u00f3n de entrada inapropiada por parte de NodePickerPanel. Al usar un argumento especialmente dise\u00f1ado, un atacante podr\u00eda explotar esta vulnerabilidad para causar que el servidor subyacente lleve a cabo peticiones GET arbitrarias"}], "lastModified": "2024-11-21T04:59:03.443", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:apache:batik:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B9EA21E7-63C2-4548-95E4-20A8D2E6B67A", "versionEndIncluding": "1.13"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E460AA51-FCDA-46B9-AE97-E6676AA5E194"}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A930E247-0B43-43CB-98FF-6CE7B8189835"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:oracle:agile_engineering_data_management:6.2.1.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "80C9DBB8-3D50-4D5D-859A-B022EB7C2E64"}, {"criteria": "cpe:2.3:a:oracle:banking_apis:18.3:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "042269E6-D3B4-4867-86FA-9301FACA9FF2"}, {"criteria": "cpe:2.3:a:oracle:banking_apis:19.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CF34B11F-3DE1-4C22-8EB1-AEE5CE5E4172"}, {"criteria": "cpe:2.3:a:oracle:banking_apis:19.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "86F03B63-F922-45CD-A7D1-326DB0042875"}, {"criteria": "cpe:2.3:a:oracle:banking_apis:20.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7CBFC93F-8B39-45A2-981C-59B187169BD4"}, {"criteria": "cpe:2.3:a:oracle:banking_apis:21.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0843465C-F940-4FFC-998D-9A2668B75EA0"}, {"criteria": "cpe:2.3:a:oracle:banking_digital_experience:18.3:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E7231D2D-4092-44F3-B60A-D7C9ED78AFDF"}, {"criteria": "cpe:2.3:a:oracle:banking_digital_experience:19.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F7BDFC10-45A0-46D8-AB92-4A5E2C1C76ED"}, {"criteria": "cpe:2.3:a:oracle:banking_digital_experience:19.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "18127694-109C-4E7E-AE79-0BA351849291"}, {"criteria": "cpe:2.3:a:oracle:banking_digital_experience:20.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "33F68878-BC19-4DB8-8A72-BD9FE3D0ACEC"}, {"criteria": "cpe:2.3:a:oracle:banking_digital_experience:21.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0D6895A6-511A-4DC6-9F9B-58E05B86BDB1"}, {"criteria": "cpe:2.3:a:oracle:communications_application_session_controller:3.9m0p3:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "441FD998-ABE6-4377-AAFA-FEAE42352FE8"}, {"criteria": "cpe:2.3:a:oracle:communications_metasolv_solution:6.3.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0912F464-5F38-4BBB-9E68-65CE34306E7C"}, {"criteria": "cpe:2.3:a:oracle:communications_metasolv_solution:6.3.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "64BCB9E3-883D-4C1F-9785-2E182BA47B5B"}, {"criteria": "cpe:2.3:a:oracle:communications_offline_mediation_controller:12.0.0.3.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "49ACFC73-A509-4D1C-8FC3-F68F495AB055"}, {"criteria": "cpe:2.3:a:oracle:enterprise_repository:11.1.1.7.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "69300B13-8C0F-4433-A6E8-B2CE32C4723D"}, {"criteria": "cpe:2.3:a:oracle:flexcube_universal_banking:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0FA54C48-2FE6-495E-A92C-85F149AA1B64", "versionEndIncluding": "14.4.0", "versionStartIncluding": "14.1.0"}, {"criteria": "cpe:2.3:a:oracle:fusion_middleware_mapviewer:12.2.1.4.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "EA86EF7E-6162-4244-9C88-7AF5CAB787E0"}, {"criteria": "cpe:2.3:a:oracle:instantis_enterprisetrack:17.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "82EA4BA7-C38B-4AF3-8914-9E3D089EBDD4"}, {"criteria": "cpe:2.3:a:oracle:instantis_enterprisetrack:17.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B9C9BC66-FA5F-4774-9BDA-7AB88E2839C4"}, {"criteria": "cpe:2.3:a:oracle:instantis_enterprisetrack:17.3:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7F69B9A5-F21B-4904-9F27-95C0F7A628E3"}, {"criteria": "cpe:2.3:a:oracle:insurance_policy_administration:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8E883986-13DA-470F-95C4-BEBD0EDFEB9C", "versionEndIncluding": "11.3.1", "versionStartIncluding": "11.0"}, {"criteria": "cpe:2.3:a:oracle:product_lifecycle_analytics:3.6.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7F978162-CB2C-4166-947A-9048C6E878BC"}, {"criteria": "cpe:2.3:a:oracle:retail_back_office:14.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F0735989-13BD-40B3-B954-AC0529C5B53D"}, {"criteria": "cpe:2.3:a:oracle:retail_central_office:14.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "58405263-E84C-4071-BB23-165D49034A00"}, {"criteria": "cpe:2.3:a:oracle:retail_order_broker:15.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "EE8CF045-09BB-4069-BCEC-496D5AE3B780"}, {"criteria": "cpe:2.3:a:oracle:retail_order_broker:16.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "38E74E68-7F19-4EF3-AC00-3C249EAAA39E"}, {"criteria": "cpe:2.3:a:oracle:retail_order_management_system_cloud_service:19.5:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A0C02FB5-59A0-43BC-B3DA-2BB1A1BE5CC3"}, {"criteria": "cpe:2.3:a:oracle:retail_point-of-service:14.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E13DF2AE-F315-4085-9172-6C8B21AF1C9E"}, {"criteria": "cpe:2.3:a:oracle:retail_returns_management:14.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BDB925C6-2CBC-4D88-B9EA-F246F4F7A206"}, {"criteria": "cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F14A818F-AA16-4438-A3E4-E64C9287AC66"}, {"criteria": "cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4A5BB153-68E0-4DDA-87D1-0D9AB7F0A418"}, {"criteria": "cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "04BCDC24-4A21-473C-8733-0D9CFB38A752"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73"}], "operator": "OR"}]}], "sourceIdentifier": "security@apache.org"}

8.2 /10

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

6.4 /10

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact NONE

JSON object

Attach tags to CVE-2020-11987

8.2^/10

6.4^/10

Attach tags to `CVE-2020-11987`