CVE-2020-11987 - Server-side Request Forgery (SSRF)
Severity: Low2021-12-20
Abstract
Apache Batik 1.13 is vulnerable to server-side request forgery, caused by improper input validation by the NodePickerPanel. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests.
The Oxygen PDF Chemistry product incorporates the Apache Batik 1.13 as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.
Affected Products/Versions
Product | Severity | Fixed Release Availability |
Oxygen PDF Chemistry v24.0 | Low | Oxygen PDF Chemistry 24.0 build 2021121317 |
Oxygen PDF Chemistry between v23.0 and v23.1 | Low | Oxygen PDF Chemistry 23.1 build 2021121413 |
Oxygen PDF Chemistry between v22.0 and v22.1 | Low | Oxygen PDF Chemistry 22.1 build 2021121712 |
Detail
CVE-2020-11987
Severity: High
CVSS Score: 8.2
The Apache Batik third-party library used by Oxygen PDF Chemistry product is an affected version mentioned in CVE-2020-11987 vulnerability description. However, NodePickerPanel class is not used in Oxygen PDF Chemistry. Therefore Oxygen PDF Chemistry product is not affected by CVE-2020-11987.