Bug 1182754 - (CVE-2020-11988) VUL-0: CVE-2020-11988: xmlgraphics-commons: Apache XML Graphics Commons SSRF vulnerability
(CVE-2020-11988)
VUL-0: CVE-2020-11988: xmlgraphics-commons: Apache XML Graphics Commons SSRF ...
Status: NEW
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Fridrich Strba
Security Team bot
https://smash.suse.de/issue/278507/
CVSSv3.1:SUSE:CVE-2020-11988:8.2:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-02-25 13:38 UTC by Gianluca Gabrielli
Modified: 2022-10-07 16:20 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Gianluca Gabrielli 2021-02-25 13:38:29 UTC
CVE-2020-11988

Apache XmlGraphics Commons 2.4 is vulnerable to server-side request forgery,
caused by improper input validation by the XMPParser. By using a
specially-crafted argument, an attacker could exploit this vulnerability to
cause the underlying server to make arbitrary GET requests.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-11988
http://seclists.org/oss-sec/2021/q1/173
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11988
https://xmlgraphics.apache.org/security.html
Comment 1 Gianluca Gabrielli 2021-02-25 13:38:44 UTC
Affected packages (v. 2.4 and earlier, fixed in Commons 2.6):
 * SUSE:SLE-15-SP2:Update/xmlgraphics-commons (v. 2.3)
 * SUSE:SLE-12-SP3:Update/xmlgraphics-commons (v. 2.1)
 
Upstream patch:
 * 5739391 [0]
 
 --
 [0] https://github.com/apache/xmlgraphics-commons/commit/57393912eb87b994c7fed39ddf30fb778a275183.patch
Comment 3 Thomas Leroy 2022-09-12 13:37:27 UTC
Any news Thomas?
Comment 5 Matej Cepl 2022-09-27 13:20:06 UTC
This is Java, not Python.
Comment 10 Swamp Workflow Management 2022-10-07 16:20:27 UTC
SUSE-SU-2022:3550-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1182754
CVE References: CVE-2020-11988
JIRA References: 
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    xmlgraphics-commons-2.6-3.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.