Apache Batik is vulnerable to server-side request forgery, caused by improper input validation by the "xlink:href" attributes. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests.
References
Link | Resource |
---|---|
https://lists.apache.org/thread.html/rab94fe68b180d2e2fba97abf6fe1ec83cff826be25f86cd90f047171%40%3Ccommits.myfaces.apache.org%3E | |
https://lists.apache.org/thread.html/rcab14a9ec91aa4c151e0729966282920423eff50a22759fd21db6509%40%3Ccommits.myfaces.apache.org%3E | |
https://security.gentoo.org/glsa/202401-11 | |
https://www.oracle.com//security-alerts/cpujul2021.html | Patch Third Party Advisory |
https://www.oracle.com/security-alerts/cpuApr2021.html | Patch Third Party Advisory |
https://www.oracle.com/security-alerts/cpujan2021.html | Patch Third Party Advisory |
https://www.oracle.com/security-alerts/cpujan2022.html | Patch Third Party Advisory |
https://www.oracle.com/security-alerts/cpujul2022.html | Patch Third Party Advisory |
https://www.oracle.com/security-alerts/cpuoct2021.html | Patch Third Party Advisory |
https://xmlgraphics.apache.org/security.html | Vendor Advisory |
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
History
07 Jan 2024, 11:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
07 Nov 2023, 03:06
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
06 Dec 2022, 21:18
Type | Values Removed | Values Added |
---|---|---|
References | (N/A) https://www.oracle.com/security-alerts/cpujul2022.html - Patch, Third Party Advisory |
25 Jul 2022, 18:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
05 Apr 2022, 20:25
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:oracle:communications_application_session_controller:3.9m0p2:*:*:*:*:*:*:* cpe:2.3:a:oracle:enterprise_repository:11.1.1.7.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_order_broker:16.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:business_intelligence:12.2.1.3.0:*:*:*:enterprise:*:*:* cpe:2.3:a:oracle:business_intelligence:5.9.0.0.0:*:*:*:enterprise:*:*:* cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_metasolv_solution:*:*:*:*:*:*:*:* cpe:2.3:a:oracle:hyperion_financial_reporting:11.1.2.4:*:*:*:*:*:*:* cpe:2.3:a:oracle:hospitality_opera_5:5.5:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_integration_bus:15.0.3:*:*:*:*:*:*:* cpe:2.3:a:oracle:communications_offline_mediation_controller:12.0.0.3.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_point-of-service:14.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:fusion_middleware_mapviewer:12.2.1.4.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_returns_management:14.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:instantis_enterprisetrack:*:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_order_management_system_cloud_service:19.5:*:*:*:*:*:*:* cpe:2.3:a:oracle:business_intelligence:12.2.1.4.0:*:*:*:enterprise:*:*:* cpe:2.3:a:oracle:hyperion_financial_reporting:11.2.5.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:api_gateway:11.1.2.4.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_order_broker:15.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:business_intelligence:5.5.0.0.0:*:*:*:enterprise:*:*:* cpe:2.3:a:oracle:hospitality_opera_5:5.6:*:*:*:*:*:*:* cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2.4.2:*:*:*:*:*:*:* cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:*:*:*:*:*:*:*:* |
|
First Time |
Oracle communications Metasolv Solution
Oracle financial Services Analytical Applications Infrastructure Oracle Oracle retail Integration Bus Oracle jd Edwards Enterpriseone Tools Oracle hyperion Financial Reporting Oracle hospitality Opera 5 Oracle communications Offline Mediation Controller Oracle retail Point-of-service Oracle retail Returns Management Oracle api Gateway Oracle retail Order Management System Cloud Service Oracle fusion Middleware Mapviewer Oracle communications Application Session Controller Oracle retail Order Broker Oracle instantis Enterprisetrack Oracle business Intelligence Oracle enterprise Repository |
|
CWE | ||
References | (MLIST) https://lists.apache.org/thread.html/rab94fe68b180d2e2fba97abf6fe1ec83cff826be25f86cd90f047171@%3Ccommits.myfaces.apache.org%3E - Mailing List, Patch, Vendor Advisory | |
References | (MISC) https://www.oracle.com/security-alerts/cpuoct2021.html - Patch, Third Party Advisory | |
References | (N/A) https://www.oracle.com//security-alerts/cpujul2021.html - Patch, Third Party Advisory | |
References | (MISC) https://www.oracle.com/security-alerts/cpujan2022.html - Patch, Third Party Advisory | |
References | (MISC) https://www.oracle.com/security-alerts/cpujan2021.html - Patch, Third Party Advisory | |
References | (MISC) https://www.oracle.com/security-alerts/cpuApr2021.html - Patch, Third Party Advisory | |
References | (MLIST) https://lists.apache.org/thread.html/rcab14a9ec91aa4c151e0729966282920423eff50a22759fd21db6509@%3Ccommits.myfaces.apache.org%3E - Mailing List, Patch, Vendor Advisory |
07 Feb 2022, 16:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
20 Oct 2021, 11:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
CWE | CWE-20 |
14 Jun 2021, 18:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
20 Jan 2021, 15:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
Information
Published : 2020-11-12 18:15
Updated : 2024-01-07 11:15
NVD link : CVE-2019-17566
Mitre link : CVE-2019-17566
CVE.ORG link : CVE-2019-17566
JSON object : View
Products Affected
oracle
- communications_metasolv_solution
- communications_application_session_controller
- retail_point-of-service
- instantis_enterprisetrack
- retail_order_management_system_cloud_service
- enterprise_repository
- communications_offline_mediation_controller
- api_gateway
- hyperion_financial_reporting
- jd_edwards_enterpriseone_tools
- hospitality_opera_5
- financial_services_analytical_applications_infrastructure
- retail_returns_management
- retail_order_broker
- fusion_middleware_mapviewer
- business_intelligence
- retail_integration_bus
apache
- batik
CWE
CWE-918
Server-Side Request Forgery (SSRF)