Bug 1182748 - (CVE-2020-11987) VUL-0: CVE-2020-11987: xmlgraphics-batik: Apache XML Graphics Batik SSRF vulnerability
(CVE-2020-11987)
VUL-0: CVE-2020-11987: xmlgraphics-batik: Apache XML Graphics Batik SSRF vuln...
Status: NEW
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Fridrich Strba
Security Team bot
https://smash.suse.de/issue/278506/
CVSSv3.1:SUSE:CVE-2020-11987:5.8:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-02-25 12:58 UTC by Gianluca Gabrielli
Modified: 2022-10-10 16:56 UTC (History)
6 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Gianluca Gabrielli 2021-02-25 12:58:07 UTC
CVE-2020-11987

Apache Batik 1.13 is vulnerable to server-side request forgery, caused by
improper input validation by the NodePickerPanel. By using a specially-crafted
argument, an attacker could exploit this vulnerability to cause the underlying
server to make arbitrary GET requests.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-11987
http://seclists.org/oss-sec/2021/q1/174
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11987
https://xmlgraphics.apache.org/security.html
Comment 1 Gianluca Gabrielli 2021-02-25 12:58:43 UTC
Affected packages:
 * SUSE:SLE-12-SP3:Update/xmlgraphics-batik (v. 1.8)
 * SUSE:SLE-15-SP2:Update/xmlgraphics-batik (v. 1.10)
 
Upstream patch:
 * 0ef5b66 [0]
 
 --
 [0] https://github.com/apache/xmlgraphics-batik/commit/0ef5b661a1f77772d1110877ea9e0287987098f6.patch
Comment 3 Thomas Leroy 2022-09-12 13:38:35 UTC
Any news Thomas?
Comment 5 Matej Cepl 2022-09-27 13:20:50 UTC
This is Java, not Python.