Server-Side Request Forgery in Apache Batik Affects Multiple Versions
CVE-2020-11987

8.2HIGH

Key Information:

Vendor: Apache
Status: Apache Batik
Vendor: CVE Published:; 24 February 2021

What is CVE-2020-11987?

Apache Batik version 1.13 is susceptible to a server-side request forgery attack due to inadequate input validation in the NodePickerPanel component. An attacker can exploit this vulnerability by crafting a malicious argument, compelling the server to execute unintended GET requests. This flaw could lead to unauthorized actions and potentially expose sensitive information, making it critical for users to update to secure versions to mitigate risks.

Affected Version(s)

Apache Batik Apache Batik 1.13

References

https://xmlgraphics.apache.org/security.html

https://lists.apache.org/thread.html/r588d05a0790b40a0eb8...

mailing-list

https://lists.apache.org/thread.html/r2877ae10e8be56a3c52...

mailing-list

CVSS V3.1

Score:

8.2

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 24, 2021
Vulnerability Reserved
Apr 21, 2020