Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 724534 (CVE-2018-8013, CVE-2019-17566, CVE-2020-11987) - dev-java/batik: multiple vulnerabilities (CVE-2018-8013, CVE-2019-17566, CVE-2020-11987)
Summary: dev-java/batik: multiple vulnerabilities (CVE-2018-8013, CVE-2019-17566, CVE-...
Alias: CVE-2018-8013, CVE-2019-17566, CVE-2020-11987
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: B2 [ebuild cve]
Depends on: 710208
  Show dependency tree
Reported: 2020-05-22 07:53 UTC by Sam James
Modified: 2021-06-17 06:33 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester gentoo-dev Security 2020-05-22 07:53:43 UTC
"In Apache Batik 1.x before 1.10, when deserializing subclass of `AbstractDocument`, the class takes a string from the inputStream as the class name which then use it to call the no-arg constructor of the class. Fix was to check the class type before calling newInstance in deserialization."
Comment 1 John Helmert III gentoo-dev Security 2020-06-15 16:54:20 UTC
Also CVE-2019-17566,

"The Apache Batik library is vulnerable to SSRF via "xlink:href" attributes that allow an attacker to cause the underlying server to make arbitrary GET requests.

Users should upgrade to Batik 1.13 or later and pass -blockExternalResources on the command line"
Comment 2 John Helmert III gentoo-dev Security 2021-02-25 19:17:55 UTC

Apache Batik 1.13 is vulnerable to server-side request forgery, caused by improper input validation by the NodePickerPanel. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests.