CVE-2020-11987 - Server-side Request Forgery (SSRF)

Severity: Low2021-12-20

Security Advisories

Abstract

Apache Batik 1.13 is vulnerable to server-side request forgery, caused by improper input validation by the NodePickerPanel. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests.

The Oxygen PDF Chemistry product incorporates the Apache Batik 1.13 as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Affected Products/Versions

ProductSeverityFixed Release Availability
Oxygen PDF Chemistry v24.0Low Oxygen PDF Chemistry 24.0 build 2021121317
Oxygen PDF Chemistry between v23.0 and v23.1Low Oxygen PDF Chemistry 23.1 build 2021121413
Oxygen PDF Chemistry between v22.0 and v22.1Low Oxygen PDF Chemistry 22.1 build 2021121712

Mitigation

None

Detail

CVE-2020-11987

Severity: High

CVSS Score: 8.2

The Apache Batik third-party library used by Oxygen PDF Chemistry product is an affected version mentioned in CVE-2020-11987 vulnerability description. However, NodePickerPanel class is not used in Oxygen PDF Chemistry. Therefore Oxygen PDF Chemistry product is not affected by CVE-2020-11987.

Revision History

2022-01-19 Updated affected versions and fixes.

List of Security Advisories

Video Tutorials
Upcoming Events
webinar
What is New in Oxygen XML Web Author 26.1
April 24, 2024

Products

Features

Shop

Resources

Support

Company

© 2002-2024 SyncRO Soft SRL. All rights reserved.

This website was created & generated with <oXygen/>®XML Editor