Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 724534 (CVE-2018-8013, CVE-2019-17566, CVE-2020-11987) - <dev-java/batik-1.14: multiple vulnerabilities (CVE-2018-8013, CVE-2019-17566, CVE-2020-11987)
Summary: <dev-java/batik-1.14: multiple vulnerabilities (CVE-2018-8013, CVE-2019-17566...
Status: IN_PROGRESS
Alias: CVE-2018-8013, CVE-2019-17566, CVE-2020-11987
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://xmlgraphics.apache.org/securi...
Whiteboard: B2 [glsa? cve]
Keywords:
Depends on: 831112 843278
Blocks:
  Show dependency tree
 
Reported: 2020-05-22 07:53 UTC by Sam James
Modified: 2022-05-14 01:45 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-05-22 07:53:43 UTC 
Description:
"In Apache Batik 1.x before 1.10, when deserializing subclass of `AbstractDocument`, the class takes a string from the inputStream as the class name which then use it to call the no-arg constructor of the class. Fix was to check the class type before calling newInstance in deserialization."
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-06-15 16:54:20 UTC 
Also CVE-2019-17566, https://seclists.org/oss-sec/2020/q2/189:

"The Apache Batik library is vulnerable to SSRF via "xlink:href" attributes that allow an attacker to cause the underlying server to make arbitrary GET requests.

Users should upgrade to Batik 1.13 or later and pass -blockExternalResources on the command line"
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-02-25 19:17:55 UTC 
CVE-2020-11987:

Apache Batik 1.13 is vulnerable to server-side request forgery, caused by improper input validation by the NodePickerPanel. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests.
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-05-14 01:45:50 UTC 
Thanks!