CVE-2019-17566

Summary

CVE	CVE-2019-17566
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2020-11-12 18:15:00 UTC
Updated	2024-01-07 11:15:00 UTC
Description	Apache Batik is vulnerable to server-side request forgery, caused by improper input validation by the "xlink:href" attributes. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests.

Risk And Classification

Problem Types: CWE-918

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Apache	Batik	All	All	All	All
Application	Apache	Batik	All	All	All	All
Application	Oracle	Api Gateway	11.1.2.4.0	All	All	All
Application	Oracle	Business Intelligence	12.2.1.3.0	All	All	All
Application	Oracle	Business Intelligence	12.2.1.4.0	All	All	All
Application	Oracle	Business Intelligence	5.5.0.0.0	All	All	All
Application	Oracle	Business Intelligence	5.9.0.0.0	All	All	All
Application	Oracle	Communications Application Session Controller	3.9m0p2	All	All	All
Application	Oracle	Communications Metasolv Solution	All	All	All	All
Application	Oracle	Communications Offline Mediation Controller	12.0.0.3.0	All	All	All
Application	Oracle	Enterprise Repository	11.1.1.7.0	All	All	All
Application	Oracle	Financial Services Analytical Applications Infrastructure	All	All	All	All
Application	Oracle	Fusion Middleware Mapviewer	12.2.1.4.0	All	All	All
Application	Oracle	Hospitality Opera 5	5.5	All	All	All
Application	Oracle	Hospitality Opera 5	5.6	All	All	All
Application	Oracle	Hyperion Financial Reporting	11.1.2.4	All	All	All
Application	Oracle	Hyperion Financial Reporting	11.2.5.0	All	All	All
Application	Oracle	Instantis Enterprisetrack	All	All	All	All
Application	Oracle	Jd Edwards Enterpriseone Tools	All	All	All	All
Application	Oracle	Jd Edwards Enterpriseone Tools	9.2.4.2	All	All	All
Application	Oracle	Retail Integration Bus	15.0.3	All	All	All
Application	Oracle	Retail Order Broker	15.0	All	All	All
Application	Oracle	Retail Order Broker	16.0	All	All	All
Application	Oracle	Retail Order Management System Cloud Service	19.5	All	All	All
Application	Oracle	Retail Point-of-service	14.1	All	All	All
Application	Oracle	Retail Returns Management	14.1	All	All	All

References

Reference	Source	Link	Tags
Pony Mail!	MLIST	lists.apache.org
[myfaces-commits] 20201211 [myfaces-tobago] 21/22: Update batik dependency from 1.9 to 1.13, because of CVE-2019-17566	MLIST	lists.apache.org
Oracle Critical Patch Update Advisory - July 2021	N/A	www.oracle.com
GLSA-202401-11		security.gentoo.org
Oracle Critical Patch Update Advisory - October 2021	MISC	www.oracle.com
Oracle Critical Patch Update Advisory - January 2022	MISC	www.oracle.com
Pony Mail!		lists.apache.org
Pony Mail!		lists.apache.org
The Apache(tm) XML Graphics Project - Community	MISC	xmlgraphics.apache.org	Vendor Advisory
Oracle Critical Patch Update Advisory - July 2022	N/A	www.oracle.com
Oracle Critical Patch Update Advisory - April 2021	MISC	www.oracle.com
Oracle Critical Patch Update Advisory - January 2021	MISC	www.oracle.com
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

Legacy QID Mappings

199377 Ubuntu Security Notification for Apache Batik Vulnerabilities (USN-6117-1)
710829 Gentoo Linux Apache Batik Multiple Vulnerabilities (GLSA 202401-11)
755916 SUSE Enterprise Linux Security Update for xmlgraphics-batik (SUSE-SU-2024:0777-1)
87496 Oracle WebLogic Server Multiple Vulnerabilities (CPUJUL2022)