Bug 1182754 - (CVE-2020-11988) VUL-0: CVE-2020-11988: xmlgraphics-commons: Apache XML Graphics Commons SSRF vulnerability
VUL-0: CVE-2020-11988: xmlgraphics-commons: Apache XML Graphics Commons SSRF ...
Status: NEW
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Fridrich Strba
Security Team bot
Depends on:
  Show dependency treegraph
Reported: 2021-02-25 13:38 UTC by Gianluca Gabrielli
Modified: 2022-10-07 16:20 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Gianluca Gabrielli 2021-02-25 13:38:29 UTC

Apache XmlGraphics Commons 2.4 is vulnerable to server-side request forgery,
caused by improper input validation by the XMPParser. By using a
specially-crafted argument, an attacker could exploit this vulnerability to
cause the underlying server to make arbitrary GET requests.

Comment 1 Gianluca Gabrielli 2021-02-25 13:38:44 UTC
Affected packages (v. 2.4 and earlier, fixed in Commons 2.6):
 * SUSE:SLE-15-SP2:Update/xmlgraphics-commons (v. 2.3)
 * SUSE:SLE-12-SP3:Update/xmlgraphics-commons (v. 2.1)
Upstream patch:
 * 5739391 [0]
 [0] https://github.com/apache/xmlgraphics-commons/commit/57393912eb87b994c7fed39ddf30fb778a275183.patch
Comment 3 Thomas Leroy 2022-09-12 13:37:27 UTC
Any news Thomas?
Comment 5 Matej Cepl 2022-09-27 13:20:06 UTC
This is Java, not Python.
Comment 10 Swamp Workflow Management 2022-10-07 16:20:27 UTC
SUSE-SU-2022:3550-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1182754
CVE References: CVE-2020-11988
JIRA References: 
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    xmlgraphics-commons-2.6-3.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.