Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2020-11987

Apache Batik 1.13 is vulnerable to server-side request forgery, caused by improper input validation by the NodePickerPanel. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests.

Published

2021-02-24T18:15:11.093

Last Modified

2024-11-21T04:59:03.443

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 8.2 (HIGH)

CVSSv2 Vector

AV:N/AC:L/Au:N/C:P/I:P/A:N

  • Access Vector: NETWORK
  • Access Complexity: LOW
  • Authentication: NONE
  • Confidentiality Impact: PARTIAL
  • Integrity Impact: PARTIAL
  • Availability Impact: NONE
Exploitability Score

10.0

Impact Score

4.9

Weaknesses
  • Type: Primary
    CWE-20
    CWE-918
Affected Vendors & Products
Type Vendor Product Version/Range Vulnerable?
Application apache batik ≤ 1.13 Yes
Operating System fedoraproject fedora 33 Yes
Operating System fedoraproject fedora 34 Yes
Application oracle agile_engineering_data_management 6.2.1.0 Yes
Application oracle banking_apis 18.3 Yes
Application oracle banking_apis 19.1 Yes
Application oracle banking_apis 19.2 Yes
Application oracle banking_apis 20.1 Yes
Application oracle banking_apis 21.1 Yes
Application oracle banking_digital_experience 18.3 Yes
Application oracle banking_digital_experience 19.1 Yes
Application oracle banking_digital_experience 19.2 Yes
Application oracle banking_digital_experience 20.1 Yes
Application oracle banking_digital_experience 21.1 Yes
Application oracle communications_application_session_controller 3.9m0p3 Yes
Application oracle communications_metasolv_solution 6.3.0 Yes
Application oracle communications_metasolv_solution 6.3.1 Yes
Application oracle communications_offline_mediation_controller 12.0.0.3.0 Yes
Application oracle enterprise_repository 11.1.1.7.0 Yes
Application oracle flexcube_universal_banking ≤ 14.4.0 Yes
Application oracle fusion_middleware_mapviewer 12.2.1.4.0 Yes
Application oracle instantis_enterprisetrack 17.1 Yes
Application oracle instantis_enterprisetrack 17.2 Yes
Application oracle instantis_enterprisetrack 17.3 Yes
Application oracle insurance_policy_administration ≤ 11.3.1 Yes
Application oracle product_lifecycle_analytics 3.6.1 Yes
Application oracle retail_back_office 14.1 Yes
Application oracle retail_central_office 14.1 Yes
Application oracle retail_order_broker 15.0 Yes
Application oracle retail_order_broker 16.0 Yes
Application oracle retail_order_management_system_cloud_service 19.5 Yes
Application oracle retail_point-of-service 14.1 Yes
Application oracle retail_returns_management 14.1 Yes
Application oracle weblogic_server 12.2.1.3.0 Yes
Application oracle weblogic_server 12.2.1.4.0 Yes
Application oracle weblogic_server 14.1.1.0.0 Yes
Operating System debian debian_linux 10.0 Yes
References