Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2019-17566

Apache Batik is vulnerable to server-side request forgery, caused by improper input validation by the "xlink:href" attributes. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests.

Published

2020-11-12T18:15:12.567

Last Modified

2024-11-21T04:32:32.617

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 7.5 (HIGH)

CVSSv2 Vector

AV:N/AC:L/Au:N/C:N/I:P/A:N

  • Access Vector: NETWORK
  • Access Complexity: LOW
  • Authentication: NONE
  • Confidentiality Impact: NONE
  • Integrity Impact: PARTIAL
  • Availability Impact: NONE
Exploitability Score

10.0

Impact Score

2.9

Weaknesses
  • Type: Primary
    CWE-918
Affected Vendors & Products
Type Vendor Product Version/Range Vulnerable?
Application apache batik < 1.13 Yes
Application oracle api_gateway 11.1.2.4.0 Yes
Application oracle business_intelligence 5.5.0.0.0 Yes
Application oracle business_intelligence 5.9.0.0.0 Yes
Application oracle business_intelligence 12.2.1.3.0 Yes
Application oracle business_intelligence 12.2.1.4.0 Yes
Application oracle communications_application_session_controller 3.9m0p2 Yes
Application oracle communications_metasolv_solution ≤ 6.3.1 Yes
Application oracle communications_offline_mediation_controller 12.0.0.3.0 Yes
Application oracle enterprise_repository 11.1.1.7.0 Yes
Application oracle financial_services_analytical_applications_infrastructure ≤ 8.1.0 Yes
Application oracle fusion_middleware_mapviewer 12.2.1.4.0 Yes
Application oracle hospitality_opera_5 5.5 Yes
Application oracle hospitality_opera_5 5.6 Yes
Application oracle hyperion_financial_reporting 11.1.2.4 Yes
Application oracle hyperion_financial_reporting 11.2.5.0 Yes
Application oracle instantis_enterprisetrack ≤ 17.3 Yes
Application oracle jd_edwards_enterpriseone_tools < 9.2.4.0 Yes
Application oracle jd_edwards_enterpriseone_tools 9.2.4.2 Yes
Application oracle retail_integration_bus 15.0.3 Yes
Application oracle retail_order_broker 15.0 Yes
Application oracle retail_order_broker 16.0 Yes
Application oracle retail_order_management_system_cloud_service 19.5 Yes
Application oracle retail_point-of-service 14.1 Yes
Application oracle retail_returns_management 14.1 Yes
References