8.2
CVSSv3

CVE-2020-11987

Published: 24/02/2021 Updated: 21/11/2024

Vulnerability Summary

Apache Batik 1.13 is vulnerable to server-side request forgery, caused by improper input validation by the NodePickerPanel. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests. (CVE-2020-11987) Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an malicious user to load a url thru the jar protocol. This issue affects Apache XML Graphics Batik 1.14. (CVE-2022-38398) Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an malicious user to fetch external resources. This issue affects Apache XML Graphics Batik 1.14. (CVE-2022-38648) Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an malicious user to access files using a Jar url. This issue affects Apache XML Graphics Batik 1.14. (CVE-2022-40146) A vulnerability in Batik of Apache XML Graphics allows an malicious user to run untrusted Java code from an SVG. This issue affects Apache XML Graphics before 1.16. It is recommended to update to version 1.16. (CVE-2022-41704) A vulnerability in Batik of Apache XML Graphics allows an malicious user to run Java code from untrusted SVG via JavaScript. This issue affects Apache XML Graphics before 1.16. Users are recommended to upgrade to version 1.16. (CVE-2022-42890)

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

apache batik

fedoraproject fedora 33

fedoraproject fedora 34

oracle agile engineering data management 6.2.1.0

oracle banking apis 18.3

oracle banking apis 19.1

oracle banking apis 19.2

oracle banking apis 20.1

oracle banking apis 21.1

oracle banking digital experience 18.3

oracle banking digital experience 19.1

oracle banking digital experience 19.2

oracle banking digital experience 20.1

oracle banking digital experience 21.1

oracle communications application session controller 3.9m0p3

oracle communications metasolv solution 6.3.0

oracle communications metasolv solution 6.3.1

oracle communications offline mediation controller 12.0.0.3.0

oracle enterprise repository 11.1.1.7.0

oracle flexcube universal banking

oracle fusion middleware mapviewer 12.2.1.4.0

oracle instantis enterprisetrack 17.1

oracle instantis enterprisetrack 17.2

oracle instantis enterprisetrack 17.3

oracle insurance policy administration

oracle product lifecycle analytics 3.6.1

oracle retail back office 14.1

oracle retail central office 14.1

oracle retail order broker 15.0

oracle retail order broker 16.0

oracle retail order management system cloud service 19.5

oracle retail point-of-service 14.1

oracle retail returns management 14.1

oracle weblogic server 12.2.1.3.0

oracle weblogic server 12.2.1.4.0

oracle weblogic server 14.1.1.0.0

debian debian linux 10.0

Vendor Advisories

Debian Bug report logs - #984829 batik: CVE-2020-11987 Package: src:batik; Maintainer for src:batik is Debian Java Maintainers <pkg-java-maintainers@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Mon, 8 Mar 2021 19:54:01 UTC Severity: important Tags: security, upstream Found i ...
Apache Batik 113 is vulnerable to server-side request forgery, caused by improper input validation by the NodePickerPanel By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests (CVE-2020-11987) Server-Side Request Forgery (SSRF) vulnerability in Batik of A ...
Apache Batik 113 is vulnerable to server-side request forgery, caused by improper input validation by the NodePickerPanel By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests (CVE-2020-11987) Server-Side Request Forgery (SSRF) vulnerability in Batik of A ...
Apache Batik 113 is vulnerable to server-side request forgery, caused by improper input validation by the NodePickerPanel By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests ...
The Apache Batik library before version 114 is vulnerable to server-side request forgery (SSRF) via the NodePickerPanel that allow an attacker to cause the underlying server to make arbitrary GET requests ...

Mailing Lists

CVE-2020-11987: Apache XML Graphics Batik SSRF vulnerability Severity: Medium Vendor: The Apache Software Foundation Versions Affected: Batik 113 and earlier Description: The Apache Batik library is vulnerable to SSRF via the NodePickerPanel that allow an attacker to cause the underlying server to make a ...

Github Repositories

An HTML to PDF library for the JVM. Based on Flying Saucer and Apache PDF-BOX 2. With SVG image support. Now also with accessible PDF support (WCAG, Section 508, PDF/UA)!

OPEN HTML TO PDF OVERVIEW Open HTML to PDF is a pure-Java library for rendering a reasonable subset of well-formed XML/XHTML (and even some HTML5) using CSS 21 (and later standards) for layout and formatting, outputting to PDF or images Use this library to generated nice looking PDF documents But be aware that you can not throw modern HTML5+ at this engine and expect a grea