====================================================================

                             CERT-Renater

                 Note d'Information No. 2021/VULN123
_____________________________________________________________________

DATE                : 26/02/2021

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache XML Graphics Batik versions
                                       prior to 1.13.

=====================================================================
http://mail-archives.apache.org/mod_mbox/xmlgraphics-batik-users/202102.mbox/%3c000b01d70aa5$df1b5130$9d51f390$@gmail.com%3e
_____________________________________________________________________

CVE-2020-11987:
        Apache XML Graphics Batik SSRF vulnerability

Severity:
        Medium

Vendor:
        The Apache Software Foundation

Versions Affected:
        Batik 1.13 and earlier

Description:
        The Apache Batik library is vulnerable to SSRF via the
NodePickerPanel that allow an attacker to cause the underlying server to
make arbitrary GET requests.

Mitigation:
        Users should upgrade to Batik 1.13 or later

Credit:
        This issue was independently reported by 张相浩

References:
        http://xmlgraphics.apache.org/security.html

The Apache XML Graphics team.


=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================