CVE-2020-11987

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2020-11987
Apache Batik 1.13 is vulnerable to server-side request forgery, caused by improper input validation by the NodePickerPanel. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests.

8.2 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 4.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

6.4 /10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:N/C:P/I:P/A:N

Exploitability : 10.0 / Impact : 4.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact NONE

References
Link Resource
https://lists.apache.org/thread.html/r2877ae10e8be56a3c52d03e373512ddd32f16b863f24c2e22f5a5ba2%40%3Cdev.poi.apache.org%3E Mailing List Vendor Advisory
https://lists.apache.org/thread.html/r588d05a0790b40a0eb81088252e1e8c1efb99706631421f17038eb05%40%3Cdev.poi.apache.org%3E Mailing List Vendor Advisory
https://lists.debian.org/debian-lts-announce/2023/10/msg00021.html Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JEDID4DAVPECE6O4QQCSIS75BLLBUUAM/ Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W7EAYO5XIHD6OIEA3HPK64UDDBSLNAC5/ Mailing List Third Party Advisory
https://security.gentoo.org/glsa/202401-11 Third Party Advisory
https://www.oracle.com//security-alerts/cpujul2021.html Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpuApr2021.html Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.html Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.html Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html Patch Third Party Advisory
https://xmlgraphics.apache.org/security.html Release Notes Vendor Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:apache:batik:*:*:*:*:*:*:*:*

Configuration 2 (hide)

OR cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*

Configuration 3 (hide)

OR cpe:2.3:a:oracle:agile_engineering_data_management:6.2.1.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_apis:18.3:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_apis:19.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_apis:19.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_apis:20.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_apis:21.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_digital_experience:18.3:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_digital_experience:19.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_digital_experience:19.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_digital_experience:20.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_digital_experience:21.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_application_session_controller:3.9m0p3:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_metasolv_solution:6.3.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_metasolv_solution:6.3.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_offline_mediation_controller:12.0.0.3.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:enterprise_repository:11.1.1.7.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:flexcube_universal_banking:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:fusion_middleware_mapviewer:12.2.1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:instantis_enterprisetrack:17.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:instantis_enterprisetrack:17.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:instantis_enterprisetrack:17.3:*:*:*:*:*:*:*
cpe:2.3:a:oracle:insurance_policy_administration:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:product_lifecycle_analytics:3.6.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_back_office:14.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_central_office:14.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_order_broker:15.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_order_broker:16.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_order_management_system_cloud_service:19.5:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_point-of-service:14.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_returns_management:14.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*

Configuration 4 (hide)

cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
History

01 Feb 2024, 01:24

Type Values Removed Values Added
First Time Debian
Debian debian Linux
Oracle agile Engineering Data Management
Oracle product Lifecycle Analytics
Oracle weblogic Server
CPE cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:product_lifecycle_analytics:3.6.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:agile_engineering_data_management:6.2.1.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*
References () https://lists.apache.org/thread.html/r2877ae10e8be56a3c52d03e373512ddd32f16b863f24c2e22f5a5ba2%40%3Cdev.poi.apache.org%3E - () https://lists.apache.org/thread.html/r2877ae10e8be56a3c52d03e373512ddd32f16b863f24c2e22f5a5ba2%40%3Cdev.poi.apache.org%3E - Mailing List, Vendor Advisory
References () https://lists.apache.org/thread.html/r588d05a0790b40a0eb81088252e1e8c1efb99706631421f17038eb05%40%3Cdev.poi.apache.org%3E - () https://lists.apache.org/thread.html/r588d05a0790b40a0eb81088252e1e8c1efb99706631421f17038eb05%40%3Cdev.poi.apache.org%3E - Mailing List, Vendor Advisory
References () https://lists.debian.org/debian-lts-announce/2023/10/msg00021.html - () https://lists.debian.org/debian-lts-announce/2023/10/msg00021.html - Mailing List, Third Party Advisory
References () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JEDID4DAVPECE6O4QQCSIS75BLLBUUAM/ - () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JEDID4DAVPECE6O4QQCSIS75BLLBUUAM/ - Mailing List, Third Party Advisory
References () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W7EAYO5XIHD6OIEA3HPK64UDDBSLNAC5/ - () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W7EAYO5XIHD6OIEA3HPK64UDDBSLNAC5/ - Mailing List, Third Party Advisory
References () https://security.gentoo.org/glsa/202401-11 - () https://security.gentoo.org/glsa/202401-11 - Third Party Advisory
References () https://www.oracle.com/security-alerts/cpujul2022.html - () https://www.oracle.com/security-alerts/cpujul2022.html - Patch, Third Party Advisory

07 Jan 2024, 11:15

Type Values Removed Values Added
References
  • () https://security.gentoo.org/glsa/202401-11 -

07 Nov 2023, 03:15

Type Values Removed Values Added
References
  • {'url': 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JEDID4DAVPECE6O4QQCSIS75BLLBUUAM/', 'name': 'FEDORA-2021-33a1b73e48', 'tags': ['Mailing List', 'Third Party Advisory'], 'refsource': 'FEDORA'}
  • {'url': 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W7EAYO5XIHD6OIEA3HPK64UDDBSLNAC5/', 'name': 'FEDORA-2021-65ff5f10e2', 'tags': ['Mailing List', 'Third Party Advisory'], 'refsource': 'FEDORA'}
  • {'url': 'https://lists.apache.org/thread.html/r588d05a0790b40a0eb81088252e1e8c1efb99706631421f17038eb05@%3Cdev.poi.apache.org%3E', 'name': '[poi-dev] 20210304 [Bug 65166] New: Apache Batik 1.13 vulnerabilities (CVE-2020-11987, CVE-2020-11988)', 'tags': ['Mailing List', 'Vendor Advisory'], 'refsource': 'MLIST'}
  • {'url': 'https://lists.apache.org/thread.html/r2877ae10e8be56a3c52d03e373512ddd32f16b863f24c2e22f5a5ba2@%3Cdev.poi.apache.org%3E', 'name': '[poi-dev] 20210308 [Bug 65166] Apache Batik 1.13 vulnerabilities (CVE-2020-11987, CVE-2020-11988)', 'tags': ['Mailing List', 'Vendor Advisory'], 'refsource': 'MLIST'}
  • () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W7EAYO5XIHD6OIEA3HPK64UDDBSLNAC5/ -
  • () https://lists.apache.org/thread.html/r2877ae10e8be56a3c52d03e373512ddd32f16b863f24c2e22f5a5ba2%40%3Cdev.poi.apache.org%3E -
  • () https://lists.apache.org/thread.html/r588d05a0790b40a0eb81088252e1e8c1efb99706631421f17038eb05%40%3Cdev.poi.apache.org%3E -
  • () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JEDID4DAVPECE6O4QQCSIS75BLLBUUAM/ -

15 Oct 2023, 00:15

Type Values Removed Values Added
References
  • (MLIST) https://lists.debian.org/debian-lts-announce/2023/10/msg00021.html -

25 Jul 2022, 18:15

Type Values Removed Values Added
References
  • (N/A) https://www.oracle.com/security-alerts/cpujul2022.html -

04 Apr 2022, 13:32

Type Values Removed Values Added
CPE cpe:2.3:a:oracle:banking_digital_experience:20.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_apis:19.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_apis:21.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_digital_experience:18.3:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_apis:19.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_apis:18.3:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_digital_experience:19.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_apis:20.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_digital_experience:21.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_digital_experience:19.1:*:*:*:*:*:*:*
References (MISC) https://www.oracle.com/security-alerts/cpujan2022.html - (MISC) https://www.oracle.com/security-alerts/cpujan2022.html - Patch, Third Party Advisory
First Time Oracle banking Digital Experience
Oracle banking Apis

07 Feb 2022, 16:15

Type Values Removed Values Added
References
  • (MISC) https://www.oracle.com/security-alerts/cpujan2022.html -

22 Dec 2021, 21:08

Type Values Removed Values Added
CPE cpe:2.3:a:oracle:retail_central_officeretail_back_office:14.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:retail_central_office:14.1:*:*:*:*:*:*:*

10 Dec 2021, 18:13

Type Values Removed Values Added
CPE cpe:2.3:a:oracle:retail_central_officeretail_back_office:14.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:instantis_enterprisetrack:17.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_returns_management:14.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_back_office:14.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:fusion_middleware_mapviewer:12.2.1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_order_broker:15.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:enterprise_repository:11.1.1.7.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:instantis_enterprisetrack:17.3:*:*:*:*:*:*:*
cpe:2.3:a:oracle:instantis_enterprisetrack:17.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_metasolv_solution:6.3.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_offline_mediation_controller:12.0.0.3.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_order_management_system_cloud_service:19.5:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_point-of-service:14.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_application_session_controller:3.9m0p3:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_order_broker:16.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:insurance_policy_administration:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:flexcube_universal_banking:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_metasolv_solution:6.3.1:*:*:*:*:*:*:*
References (MISC) https://www.oracle.com/security-alerts/cpuApr2021.html - (MISC) https://www.oracle.com/security-alerts/cpuApr2021.html - Patch, Third Party Advisory
References (MISC) https://www.oracle.com/security-alerts/cpuoct2021.html - (MISC) https://www.oracle.com/security-alerts/cpuoct2021.html - Patch, Third Party Advisory
References (N/A) https://www.oracle.com//security-alerts/cpujul2021.html - (N/A) https://www.oracle.com//security-alerts/cpujul2021.html - Patch, Third Party Advisory

20 Oct 2021, 11:15

Type Values Removed Values Added
References
  • (MISC) https://www.oracle.com/security-alerts/cpuoct2021.html -
  • (N/A) https://www.oracle.com//security-alerts/cpujul2021.html -
CWE CWE-20

14 Jun 2021, 18:15

Type Values Removed Values Added
References
  • (MISC) https://www.oracle.com/security-alerts/cpuApr2021.html -

21 Apr 2021, 19:32

Type Values Removed Values Added
CPE cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*
References (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JEDID4DAVPECE6O4QQCSIS75BLLBUUAM/ - (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JEDID4DAVPECE6O4QQCSIS75BLLBUUAM/ - Mailing List, Third Party Advisory

16 Apr 2021, 17:15

Type Values Removed Values Added
References
  • (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JEDID4DAVPECE6O4QQCSIS75BLLBUUAM/ -

23 Mar 2021, 01:07

Type Values Removed Values Added
References (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W7EAYO5XIHD6OIEA3HPK64UDDBSLNAC5/ - (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W7EAYO5XIHD6OIEA3HPK64UDDBSLNAC5/ - Mailing List, Third Party Advisory
CPE cpe:2.3:a:apache:batik:1.13:*:*:*:*:*:*:* cpe:2.3:a:apache:batik:*:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*

19 Mar 2021, 23:15

Type Values Removed Values Added
References
  • (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W7EAYO5XIHD6OIEA3HPK64UDDBSLNAC5/ -

16 Mar 2021, 16:14

Type Values Removed Values Added
CVSS v2 : 5.0
v3 : 5.3 		v2 : 6.4
v3 : 8.2

15 Mar 2021, 21:43

Type Values Removed Values Added
References (MLIST) https://lists.apache.org/thread.html/r588d05a0790b40a0eb81088252e1e8c1efb99706631421f17038eb05@%3Cdev.poi.apache.org%3E - (MLIST) https://lists.apache.org/thread.html/r588d05a0790b40a0eb81088252e1e8c1efb99706631421f17038eb05@%3Cdev.poi.apache.org%3E - Mailing List, Vendor Advisory
References (MLIST) https://lists.apache.org/thread.html/r2877ae10e8be56a3c52d03e373512ddd32f16b863f24c2e22f5a5ba2@%3Cdev.poi.apache.org%3E - (MLIST) https://lists.apache.org/thread.html/r2877ae10e8be56a3c52d03e373512ddd32f16b863f24c2e22f5a5ba2@%3Cdev.poi.apache.org%3E - Mailing List, Vendor Advisory

08 Mar 2021, 19:15

Type Values Removed Values Added
References
  • (MLIST) https://lists.apache.org/thread.html/r2877ae10e8be56a3c52d03e373512ddd32f16b863f24c2e22f5a5ba2@%3Cdev.poi.apache.org%3E -

05 Mar 2021, 01:15

Type Values Removed Values Added
References
  • (MLIST) https://lists.apache.org/thread.html/r588d05a0790b40a0eb81088252e1e8c1efb99706631421f17038eb05@%3Cdev.poi.apache.org%3E -

02 Mar 2021, 14:33

Type Values Removed Values Added
CWE CWE-918
CVSS v2 : unknown
v3 : unknown 		v2 : 5.0
v3 : 5.3
CPE cpe:2.3:a:apache:batik:1.13:*:*:*:*:*:*:*
References (MISC) https://xmlgraphics.apache.org/security.html - (MISC) https://xmlgraphics.apache.org/security.html - Release Notes, Vendor Advisory

24 Feb 2021, 18:15

Type Values Removed Values Added
New CVE
Information

Published : 2021-02-24 18:15

Updated : 2024-02-01 01:24

NVD link : CVE-2020-11987

Mitre link : CVE-2020-11987

CVE.ORG link : CVE-2020-11987

JSON object : View

Products Affected

oracle

  • retail_order_management_system_cloud_service
  • retail_back_office
  • communications_application_session_controller
  • instantis_enterprisetrack
  • retail_central_office
  • fusion_middleware_mapviewer
  • communications_offline_mediation_controller
  • agile_engineering_data_management
  • weblogic_server
  • flexcube_universal_banking
  • enterprise_repository
  • banking_digital_experience
  • product_lifecycle_analytics
  • communications_metasolv_solution
  • retail_point-of-service
  • retail_order_broker
  • retail_returns_management
  • insurance_policy_administration
  • banking_apis

apache

  • batik

fedoraproject

  • fedora

debian

  • debian_linux
CWE
CWE-20

Improper Input Validation

CWE-918

Server-Side Request Forgery (SSRF)