CVE-2019-17566: Server-Side Request Forgery (SSRF)
(updated )
Apache Batik is vulnerable to server-side request forgery, caused by improper input validation by the “xlink:href” attributes. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests.
References
- github.com/advisories/GHSA-cmx4-p4v5-hmr5
- github.com/apache/xmlgraphics-batik/commit/bc6078ca949039e2076cd08b4cb169c84c1179b1
- issues.apache.org/jira/browse/BATIK-1276
- lists.apache.org/thread.html/rab94fe68b180d2e2fba97abf6fe1ec83cff826be25f86cd90f047171@%3Ccommits.myfaces.apache.org%3E
- lists.apache.org/thread.html/rcab14a9ec91aa4c151e0729966282920423eff50a22759fd21db6509@%3Ccommits.myfaces.apache.org%3E
- nvd.nist.gov/vuln/detail/CVE-2019-17566
- www.oracle.com//security-alerts/cpujul2021.html
- www.oracle.com/security-alerts/cpuApr2021.html
- www.oracle.com/security-alerts/cpujan2021.html
- www.oracle.com/security-alerts/cpujan2022.html
- www.oracle.com/security-alerts/cpuoct2021.html
- xmlgraphics.apache.org/security.html
Detect and mitigate CVE-2019-17566 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →