CVE-2020-11987

HIGH

Apache Batik < 1.13 - Server-Side Request Forgery via NodePickerPanel

Title source: llm
STIX 2.1

Description

Apache Batik 1.13 is vulnerable to server-side request forgery, caused by improper input validation by the NodePickerPanel. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests.

References (13)

Core 13
Core References
Mailing List, Third Party Advisory mailing-list
https://lists.debian.org/debian-lts-announce/2023/10/msg00021.html
Third Party Advisory vendor-advisory
https://security.gentoo.org/glsa/202401-11
Release Notes, Vendor Advisory
https://xmlgraphics.apache.org/security.html

Scores

CVSS v3 8.2
EPSS 0.0136
EPSS Percentile 80.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Details

CWE
CWE-918 CWE-20
Status published
Products (38)
apache/batik < 1.13
debian/debian_linux 10.0
fedoraproject/fedora 33
fedoraproject/fedora 34
oracle/agile_engineering_data_management 6.2.1.0
oracle/banking_apis 18.3
oracle/banking_apis 19.1
oracle/banking_apis 19.2
oracle/banking_apis 20.1
oracle/banking_apis 21.1
... and 28 more
Published Feb 24, 2021
Tracked Since Feb 18, 2026