ID CVE-2019-17566
Summary Apache Batik is vulnerable to server-side request forgery, caused by improper input validation by the "xlink:href" attributes. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests.
References
Vulnerable Configurations
  • cpe:2.3:a:apache:batik:-:*:*:*:*:*:*:*
    cpe:2.3:a:apache:batik:-:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:batik:1.1:rc1:*:*:*:*:*:*
    cpe:2.3:a:apache:batik:1.1:rc1:*:*:*:*:*:*
  • cpe:2.3:a:apache:batik:1.1:rc2:*:*:*:*:*:*
    cpe:2.3:a:apache:batik:1.1:rc2:*:*:*:*:*:*
  • cpe:2.3:a:apache:batik:1.1:rc3:*:*:*:*:*:*
    cpe:2.3:a:apache:batik:1.1:rc3:*:*:*:*:*:*
  • cpe:2.3:a:apache:batik:1.1:rc4:*:*:*:*:*:*
    cpe:2.3:a:apache:batik:1.1:rc4:*:*:*:*:*:*
  • cpe:2.3:a:apache:batik:1.1.1:*:*:*:*:*:*:*
    cpe:2.3:a:apache:batik:1.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:batik:1.5:*:*:*:*:*:*:*
    cpe:2.3:a:apache:batik:1.5:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:batik:1.5:beta1:*:*:*:*:*:*
    cpe:2.3:a:apache:batik:1.5:beta1:*:*:*:*:*:*
  • cpe:2.3:a:apache:batik:1.5:beta2:*:*:*:*:*:*
    cpe:2.3:a:apache:batik:1.5:beta2:*:*:*:*:*:*
  • cpe:2.3:a:apache:batik:1.5:beta3:*:*:*:*:*:*
    cpe:2.3:a:apache:batik:1.5:beta3:*:*:*:*:*:*
  • cpe:2.3:a:apache:batik:1.5:beta4:*:*:*:*:*:*
    cpe:2.3:a:apache:batik:1.5:beta4:*:*:*:*:*:*
  • cpe:2.3:a:apache:batik:1.5:beta4b:*:*:*:*:*:*
    cpe:2.3:a:apache:batik:1.5:beta4b:*:*:*:*:*:*
  • cpe:2.3:a:apache:batik:1.5:beta5:*:*:*:*:*:*
    cpe:2.3:a:apache:batik:1.5:beta5:*:*:*:*:*:*
  • cpe:2.3:a:apache:batik:1.5.1:*:*:*:*:*:*:*
    cpe:2.3:a:apache:batik:1.5.1:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:batik:1.5.1:rc2:*:*:*:*:*:*
    cpe:2.3:a:apache:batik:1.5.1:rc2:*:*:*:*:*:*
  • cpe:2.3:a:apache:batik:1.6:*:*:*:*:*:*:*
    cpe:2.3:a:apache:batik:1.6:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:batik:1.6.1:*:*:*:*:*:*:*
    cpe:2.3:a:apache:batik:1.6.1:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:batik:1.7:*:*:*:*:*:*:*
    cpe:2.3:a:apache:batik:1.7:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:batik:1.7:beta1:*:*:*:*:*:*
    cpe:2.3:a:apache:batik:1.7:beta1:*:*:*:*:*:*
  • cpe:2.3:a:apache:batik:1.7.1:*:*:*:*:*:*:*
    cpe:2.3:a:apache:batik:1.7.1:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:batik:1.8:*:*:*:*:*:*:*
    cpe:2.3:a:apache:batik:1.8:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:api_gateway:11.1.2.4.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:api_gateway:11.1.2.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hyperion_financial_reporting:11.1.2.4:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:hyperion_financial_reporting:11.1.2.4:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:enterprise_repository:11.1.1.7.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:enterprise_repository:11.1.1.7.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:business_intelligence:12.2.1.3.0:*:*:*:enterprise:*:*:*
    cpe:2.3:a:oracle:business_intelligence:12.2.1.3.0:*:*:*:enterprise:*:*:*
  • cpe:2.3:a:oracle:retail_order_broker:15.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:retail_order_broker:15.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_order_broker:16.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:retail_order_broker:16.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_returns_management:14.1:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:retail_returns_management:14.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_point-of-service:14.1:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:retail_point-of-service:14.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:business_intelligence:12.2.1.4.0:*:*:*:enterprise:*:*:*
    cpe:2.3:a:oracle:business_intelligence:12.2.1.4.0:*:*:*:enterprise:*:*:*
  • cpe:2.3:a:oracle:business_intelligence:5.5.0.0.0:*:*:*:enterprise:*:*:*
    cpe:2.3:a:oracle:business_intelligence:5.5.0.0.0:*:*:*:enterprise:*:*:*
  • cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.6:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.6.0.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.6.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.6.0.1:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.6.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.6.1.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.6.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.6.2.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.6.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.6.3.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.6.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.6.4.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.6.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.7:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.7.0.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.7.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.7.1.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.7.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.7.2.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.7.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.8:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.8:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.8.0.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.8.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.9:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.9:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.9.0.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.9.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.1.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:fusion_middleware_mapviewer:12.2.1.4.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:fusion_middleware_mapviewer:12.2.1.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:instantis_enterprisetrack:17.1:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:instantis_enterprisetrack:17.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:instantis_enterprisetrack:17.2:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:instantis_enterprisetrack:17.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:instantis_enterprisetrack:17.3:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:instantis_enterprisetrack:17.3:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_offline_mediation_controller:12.0.0.3.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:communications_offline_mediation_controller:12.0.0.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:retail_integration_bus:15.0.3:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:retail_integration_bus:15.0.3:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_application_session_controller:3.9m0p2:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:communications_application_session_controller:3.9m0p2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hospitality_opera_5:5.5:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:hospitality_opera_5:5.5:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hospitality_opera_5:5.6:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:hospitality_opera_5:5.6:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:business_intelligence:5.9.0.0.0:*:*:*:enterprise:*:*:*
    cpe:2.3:a:oracle:business_intelligence:5.9.0.0.0:*:*:*:enterprise:*:*:*
  • cpe:2.3:a:oracle:retail_order_management_system_cloud_service:19.5:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:retail_order_management_system_cloud_service:19.5:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:-:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:-:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:4.0.1.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:4.0.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.1:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.1.5:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.1.5:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_metasolv_solution:6.3.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:communications_metasolv_solution:6.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:communications_metasolv_solution:6.3.1:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:communications_metasolv_solution:6.3.1:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2.4.2:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2.4.2:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:hyperion_financial_reporting:11.2.5.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:hyperion_financial_reporting:11.2.5.0:*:*:*:*:*:*:*
CVSS
Base: 5.0 (as of 07-01-2024 - 11:15)
Impact:
Exploitability:
CWE CWE-918
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
NONE PARTIAL NONE
cvss-vector via4 AV:N/AC:L/Au:N/C:N/I:P/A:N
refmap via4
misc
mlist
  • [myfaces-commits] 20201120 [myfaces-tobago] branch tobago-2.x updated: Update batik dependency from 1.9 to 1.13, because of CVE-2019-17566
  • [myfaces-commits] 20201211 [myfaces-tobago] 21/22: Update batik dependency from 1.9 to 1.13, because of CVE-2019-17566
Last major update 07-01-2024 - 11:15
Published 12-11-2020 - 18:15
Last modified 07-01-2024 - 11:15
Back to Top