PT-2020-5514 · Apache+3 · Apache Batik+3

Published

2020-06-15

Updated

2024-06-15

CVE-2019-17566

CVSS v2.0

7.8

High

Vector

AV:N/AC:L/Au:N/C:N/I:C/A:N

Name of the Vulnerable Software and Affected Versions Apache Batik (affected versions not specified)

Description The issue is related to improper input validation by the xlink:href attributes, which can lead to server-side request forgery. An attacker could exploit this by using a specially-crafted argument to cause the underlying server to make arbitrary GET requests. This could potentially allow for CSRF attacks.

Recommendations As a temporary workaround, consider disabling the use of xlink:href attributes in Apache Batik until a patch is available. Restrict access to the vulnerable module to minimize the risk of exploitation. Avoid using specially-crafted arguments that could trigger the vulnerability until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

SSRF

CSRF

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-918CWE-352CWE-20

Related Identifiers

BDU:2021-01018

CVE-2019-17566

GHSA-CMX4-P4V5-HMR5

MGASA-2021-0168

OPENSUSE-SU-2020:0851-1

OPENSUSE-SU-2020:1043-1

OPENSUSE-SU-2020_0851-1

OPENSUSE-SU-2024:11522-1

ROSA-SA-2023-2239

SUSE-SU-2020:1800-1

SUSE-SU-2020_1800-1

SUSE-SU-2024:0777-1

USN-6117-1

Affected Products

Apache Batik

Linuxmint

Suse

Ubuntu

PT-2020-5514 · Apache+3 · Apache Batik+3

CVE-2019-17566

Weakness Enumeration

Related Identifiers

Affected Products

References · 74