[eclipse-sig] [Bug 1933808] New: CVE-2020-11987 batik: SSRF due to improper input validation by the NodePickerPanel

https://bugzilla.redhat.com/show_bug.cgi?id=1933808 Bug ID: 1933808 Summary: CVE-2020-11987 batik: SSRF due to improper input validation by the NodePickerPanel Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team(a)redhat.com Reporter: gsuckevi(a)redhat.com CC: aileenc(a)redhat.com, akurtako(a)redhat.com, andjrobins(a)gmail.com, chazlett(a)redhat.com, dbhole(a)redhat.com, drieden(a)redhat.com, ebaron(a)redhat.com, eclipse-sig(a)lists.fedoraproject.org, ggaughan(a)redhat.com, gmalinko(a)redhat.com, janstey(a)redhat.com, java-maint(a)redhat.com, java-sig-commits(a)lists.fedoraproject.org, jerboaa(a)gmail.com, jjohnstn(a)redhat.com, jkang(a)redhat.com, jochrist(a)redhat.com, jvanek(a)redhat.com, jwon(a)redhat.com, lef(a)fedoraproject.org, mat.booth(a)redhat.com, mizdebsk(a)redhat.com, rgrunber(a)redhat.com Target Milestone: --- Classification: Other Apache Batik 1.13 is vulnerable to server-side request forgery, caused by improper input validation by the NodePickerPanel. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests. References: https://xmlgraphics.apache.org/security.html https://www.openwall.com/lists/oss-security/2021/02/24/2 -- You are receiving this mail because: You are on the CC list for the bug.