PT-2021-9432 · Apache+5 · Apache Batik+5

Published

2021-02-24

·

Updated

2025-07-20

·

CVE-2020-11987

CVSS v3.1

8.2

High

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Name of the Vulnerable Software and Affected Versions Apache Batik version 1.13
Description The issue is caused by improper input validation by the NodePickerPanel, allowing an attacker to exploit the vulnerability and cause the underlying server to make arbitrary GET requests. This can be achieved by using a specially-crafted argument.
Recommendations For Apache Batik version 1.13, consider disabling the NodePickerPanel functionality until a patch is available to prevent exploitation. Restrict access to the vulnerable component to minimize the risk of arbitrary GET requests being made by the underlying server.

Exploit

Fix

RCE

SSRF

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-20CWE-918

Related Identifiers

CVE-2020-11987
DLA-3619-1
DLA-4243-1
GHSA-2H63-QP69-FWVW
MGASA-2021-0139
MGASA-2021-0168
OESA-2021-1134
OPENSUSE-SU-2024:12402-1
SUSE-SU-2024:0777-1
USN-6117-1

Affected Products

Apache Batik
Astra Linux
Debian
Linuxmint
Suse
Ubuntu