Lucene search

[email protected]NVD:CVE-2020-11987

HistoryFeb 24, 2021 - 6:15 p.m.

CVE-2020-11987

2021-02-2418:15:11

CWE-20

CWE-918

[email protected]

web.nvd.nist.gov

apache batik

server-side request forgery

input validation

nodepickerpanel

arbitrary get requests

CVSS2

6.4

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:P/A:N

CVSS3

8.2

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

EPSS

0.007

Percentile

80.7%

JSON

Apache Batik 1.13 is vulnerable to server-side request forgery, caused by improper input validation by the NodePickerPanel. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests.

Affected configurations

Nvd

Node

apachebatikRange≤1.13

Node

fedoraprojectfedoraMatch33

fedoraprojectfedoraMatch34

Node

oracleagile_engineering_data_managementMatch6.2.1.0

oraclebanking_apisMatch18.3

oraclebanking_apisMatch19.1

oraclebanking_apisMatch19.2

oraclebanking_apisMatch20.1

oraclebanking_apisMatch21.1

oraclebanking_digital_experienceMatch18.3

oraclebanking_digital_experienceMatch19.1

oraclebanking_digital_experienceMatch19.2

oraclebanking_digital_experienceMatch20.1

oraclebanking_digital_experienceMatch21.1

oraclecommunications_application_session_controllerMatch3.9m0p3

oraclecommunications_metasolv_solutionMatch6.3.0

oraclecommunications_metasolv_solutionMatch6.3.1

oraclecommunications_offline_mediation_controllerMatch12.0.0.3.0

oracleenterprise_repositoryMatch11.1.1.7.0

oracleflexcube_universal_bankingRange14.1.0–14.4.0

oraclefusion_middleware_mapviewerMatch12.2.1.4.0

oracleinstantis_enterprisetrackMatch17.1

oracleinstantis_enterprisetrackMatch17.2

oracleinstantis_enterprisetrackMatch17.3

oracleinsurance_policy_administrationRange11.0–11.3.1

oracleproduct_lifecycle_analyticsMatch3.6.1

oracleretail_back_officeMatch14.1

oracleretail_central_officeMatch14.1

oracleretail_order_brokerMatch15.0

oracleretail_order_brokerMatch16.0

oracleretail_order_management_system_cloud_serviceMatch19.5

oracleretail_point-of-serviceMatch14.1

oracleretail_returns_managementMatch14.1

oracleweblogic_serverMatch12.2.1.3.0

oracleweblogic_serverMatch12.2.1.4.0

oracleweblogic_serverMatch14.1.1.0.0

Node

debiandebian_linuxMatch10.0

VendorProductVersionCPE
apachebatik*cpe:2.3:a:apache:batik:*:*:*:*:*:*:*:*
fedoraprojectfedora33cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*
fedoraprojectfedora34cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*
oracleagile_engineering_data_management6.2.1.0cpe:2.3:a:oracle:agile_engineering_data_management:6.2.1.0:*:*:*:*:*:*:*
oraclebanking_apis18.3cpe:2.3:a:oracle:banking_apis:18.3:*:*:*:*:*:*:*
oraclebanking_apis19.1cpe:2.3:a:oracle:banking_apis:19.1:*:*:*:*:*:*:*
oraclebanking_apis19.2cpe:2.3:a:oracle:banking_apis:19.2:*:*:*:*:*:*:*
oraclebanking_apis20.1cpe:2.3:a:oracle:banking_apis:20.1:*:*:*:*:*:*:*
oraclebanking_apis21.1cpe:2.3:a:oracle:banking_apis:21.1:*:*:*:*:*:*:*
oraclebanking_digital_experience18.3cpe:2.3:a:oracle:banking_digital_experience:18.3:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
apache	batik	*	cpe:2.3:a:apache:batik::::::::
fedoraproject	fedora	33	cpe:2.3:o:fedoraproject:fedora:33:::::::*
fedoraproject	fedora	34	cpe:2.3:o:fedoraproject:fedora:34:::::::*
oracle	agile_engineering_data_management	6.2.1.0	cpe:2.3:a:oracle:agile_engineering_data_management:6.2.1.0:::::::*
oracle	banking_apis	18.3	cpe:2.3:a:oracle:banking_apis:18.3:::::::*
oracle	banking_apis	19.1	cpe:2.3:a:oracle:banking_apis:19.1:::::::*
oracle	banking_apis	19.2	cpe:2.3:a:oracle:banking_apis:19.2:::::::*
oracle	banking_apis	20.1	cpe:2.3:a:oracle:banking_apis:20.1:::::::*
oracle	banking_apis	21.1	cpe:2.3:a:oracle:banking_apis:21.1:::::::*
oracle	banking_digital_experience	18.3	cpe:2.3:a:oracle:banking_digital_experience:18.3:::::::*