8.2
CVE-2020-11987
- EPSS 0.63%
- Veröffentlicht 24.02.2021 18:15:11
- Zuletzt bearbeitet 21.11.2024 04:59:03
- Quelle security@apache.org
- Teams Watchlist Login
- Unerledigt Login
Apache Batik 1.13 is vulnerable to server-side request forgery, caused by improper input validation by the NodePickerPanel. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Fedoraproject ≫ Fedora Version33
Fedoraproject ≫ Fedora Version34
Oracle ≫ Agile Engineering Data Management Version6.2.1.0
Oracle ≫ Banking Apis Version18.3
Oracle ≫ Banking Apis Version19.1
Oracle ≫ Banking Apis Version19.2
Oracle ≫ Banking Apis Version20.1
Oracle ≫ Banking Apis Version21.1
Oracle ≫ Banking Digital Experience Version18.3
Oracle ≫ Banking Digital Experience Version19.1
Oracle ≫ Banking Digital Experience Version19.2
Oracle ≫ Banking Digital Experience Version20.1
Oracle ≫ Banking Digital Experience Version21.1
Oracle ≫ Communications Application Session Controller Version3.9m0p3
Oracle ≫ Communications Metasolv Solution Version6.3.0
Oracle ≫ Communications Metasolv Solution Version6.3.1
Oracle ≫ Communications Offline Mediation Controller Version12.0.0.3.0
Oracle ≫ Enterprise Repository Version11.1.1.7.0
Oracle ≫ Flexcube Universal Banking Version >= 14.1.0 <= 14.4.0
Oracle ≫ Fusion Middleware Mapviewer Version12.2.1.4.0
Oracle ≫ Instantis Enterprisetrack Version17.1
Oracle ≫ Instantis Enterprisetrack Version17.2
Oracle ≫ Instantis Enterprisetrack Version17.3
Oracle ≫ Insurance Policy Administration Version >= 11.0 <= 11.3.1
Oracle ≫ Product Lifecycle Analytics Version3.6.1
Oracle ≫ Retail Back Office Version14.1
Oracle ≫ Retail Central Office Version14.1
Oracle ≫ Retail Order Broker Version15.0
Oracle ≫ Retail Order Broker Version16.0
Oracle ≫ Retail Order Management System Cloud Service Version19.5
Oracle ≫ Retail Point-of-service Version14.1
Oracle ≫ Retail Returns Management Version14.1
Oracle ≫ Weblogic Server Version12.2.1.3.0
Oracle ≫ Weblogic Server Version12.2.1.4.0
Oracle ≫ Weblogic Server Version14.1.1.0.0
Debian ≫ Debian Linux Version10.0
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.63% | 0.693 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 8.2 | 3.9 | 4.2 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
|
| nvd@nist.gov | 6.4 | 10 | 4.9 |
AV:N/AC:L/Au:N/C:P/I:P/A:N
|
CWE-20 Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
CWE-918 Server-Side Request Forgery (SSRF)
The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.