CVE-2020-11987 - Server-side Request Forgery (SSRF)

Severity: Low2021-12-20

Security Advisories


Apache Batik 1.13 is vulnerable to server-side request forgery, caused by improper input validation by the NodePickerPanel. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests.

The Oxygen PDF Chemistry product incorporates the Apache Batik 1.13 as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Affected Products/Versions

ProductSeverityFixed Release Availability
Oxygen PDF Chemistry v24.0Low Oxygen PDF Chemistry 24.0 build 2021121317
Oxygen PDF Chemistry between v23.0 and v23.1Low Oxygen PDF Chemistry 23.1 build 2021121413
Oxygen PDF Chemistry between v22.0 and v22.1Low Oxygen PDF Chemistry 22.1 build 2021121712





Severity: High

CVSS Score: 8.2

The Apache Batik third-party library used by Oxygen PDF Chemistry product is an affected version mentioned in CVE-2020-11987 vulnerability description. However, NodePickerPanel class is not used in Oxygen PDF Chemistry. Therefore Oxygen PDF Chemistry product is not affected by CVE-2020-11987.

Revision History

2022-01-19 Updated affected versions and fixes.

List of Security Advisories