CVE-2019-17566

Опубликовано: 12 нояб. 2020

Источник: nvd

CVSS3: 7.5

CVSS2: 5

EPSS Низкий

Описание

Apache Batik is vulnerable to server-side request forgery, caused by improper input validation by the "xlink:href" attributes. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests.

Ссылки

https://lists.apache.org/thread.html/rab94fe68b180d2e2fba97abf6fe1ec83cff826be25f86cd90f047171%40%3Ccommits.myfaces.apache.org%3E
https://lists.apache.org/thread.html/rcab14a9ec91aa4c151e0729966282920423eff50a22759fd21db6509%40%3Ccommits.myfaces.apache.org%3E
https://security.gentoo.org/glsa/202401-11
https://www.oracle.com//security-alerts/cpujul2021.html
Patch
Third Party Advisory
https://www.oracle.com/security-alerts/cpuApr2021.html
Patch
Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2021.html
Patch
Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.html
Patch
Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.html
Patch
Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html
Patch
Third Party Advisory
https://xmlgraphics.apache.org/security.html
Vendor Advisory
https://lists.apache.org/thread.html/rab94fe68b180d2e2fba97abf6fe1ec83cff826be25f86cd90f047171%40%3Ccommits.myfaces.apache.org%3E
https://lists.apache.org/thread.html/rcab14a9ec91aa4c151e0729966282920423eff50a22759fd21db6509%40%3Ccommits.myfaces.apache.org%3E
https://security.gentoo.org/glsa/202401-11
https://www.oracle.com//security-alerts/cpujul2021.html
Patch
Third Party Advisory
https://www.oracle.com/security-alerts/cpuApr2021.html
Patch
Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2021.html
Patch
Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.html
Patch
Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.html
Patch
Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html
Patch
Third Party Advisory
https://xmlgraphics.apache.org/security.html
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:apache:batik:*:*:*:*:*:*:*:*

Версия до 1.13 (исключая)

Конфигурация 2

Одно из

cpe:2.3:a:oracle:api_gateway:11.1.2.4.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:business_intelligence:5.5.0.0.0:*:*:*:enterprise:*:*:*

cpe:2.3:a:oracle:business_intelligence:5.9.0.0.0:*:*:*:enterprise:*:*:*

cpe:2.3:a:oracle:business_intelligence:12.2.1.3.0:*:*:*:enterprise:*:*:*

cpe:2.3:a:oracle:business_intelligence:12.2.1.4.0:*:*:*:enterprise:*:*:*

cpe:2.3:a:oracle:communications_application_session_controller:3.9m0p2:*:*:*:*:*:*:*

cpe:2.3:a:oracle:communications_metasolv_solution:*:*:*:*:*:*:*:*

Версия от 6.3.0 (включая) до 6.3.1 (включая)

cpe:2.3:a:oracle:communications_offline_mediation_controller:12.0.0.3.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:enterprise_repository:11.1.1.7.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:*

Версия от 8.0.6 (включая) до 8.1.0 (включая)

cpe:2.3:a:oracle:fusion_middleware_mapviewer:12.2.1.4.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:hospitality_opera_5:5.5:*:*:*:*:*:*:*

cpe:2.3:a:oracle:hospitality_opera_5:5.6:*:*:*:*:*:*:*

cpe:2.3:a:oracle:hyperion_financial_reporting:11.1.2.4:*:*:*:*:*:*:*

cpe:2.3:a:oracle:hyperion_financial_reporting:11.2.5.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:instantis_enterprisetrack:*:*:*:*:*:*:*:*

Версия от 17.1 (включая) до 17.3 (включая)

cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:*:*:*:*:*:*:*:*

Версия до 9.2.4.0 (исключая)

cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2.4.2:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_integration_bus:15.0.3:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_order_broker:15.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_order_broker:16.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_order_management_system_cloud_service:19.5:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_point-of-service:14.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_returns_management:14.1:*:*:*:*:*:*:*

EPSS

Процентиль: 74%

0.00815

Низкий

7.5 High

CVSS3

5 Medium

CVSS2

Дефекты

CWE-918

Связанные уязвимости

CVE-2019-17566

CVSS3: 7.5

ubuntu

около 5 лет назад

CVE-2019-17566

CVSS3: 7.5

redhat

больше 5 лет назад

CVE-2019-17566

CVSS3: 7.5

debian

около 5 лет назад

Apache Batik is vulnerable to server-side request forgery, caused by i ...

openSUSE-SU-2020:0851-1

suse-cvrf

больше 5 лет назад

Security update for xmlgraphics-batik

SUSE-SU-2020:1800-1

suse-cvrf

больше 5 лет назад

Security update for xmlgraphics-batik

EPSS

Процентиль: 74%

0.00815

Низкий

7.5 High

CVSS3

5 Medium

CVSS2

Дефекты

CWE-918