High severityNVD Advisory· Published Feb 24, 2021· Updated Nov 3, 2025
CVE-2020-11987
CVE-2020-11987
Description
Apache Batik 1.13 is vulnerable to server-side request forgery, caused by improper input validation by the NodePickerPanel. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.xmlgraphics:batik-svgbrowserMaven | < 1.14 | 1.14 |
Affected products
3- Apache/Batikdescription
- ghsa-coords2 versionspkg:maven/org.apache.xmlgraphics/batik-svgbrowserpkg:rpm/suse/xmlgraphics-batik&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP5
< 1.14+ 1 more
- (no CPE)range: < 1.14
- (no CPE)range: < 1.17-2.7.1
Patches
Vulnerability mechanics
References
22- github.com/advisories/GHSA-2h63-qp69-fwvwghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JEDID4DAVPECE6O4QQCSIS75BLLBUUAM/mitrevendor-advisory
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W7EAYO5XIHD6OIEA3HPK64UDDBSLNAC5/mitrevendor-advisory
- nvd.nist.gov/vuln/detail/CVE-2020-11987ghsaADVISORY
- security.gentoo.org/glsa/202401-11ghsavendor-advisoryWEB
- github.com/apache/xmlgraphics-batik/commit/0ef5b661a1f77772d1110877ea9e0287987098f6ghsaWEB
- issues.apache.org/jira/browse/BATIK-1284ghsaWEB
- lists.apache.org/thread.html/r2877ae10e8be56a3c52d03e373512ddd32f16b863f24c2e22f5a5ba2%40%3Cdev.poi.apache.org%3Eghsamailing-listWEB
- lists.apache.org/thread.html/r2877ae10e8be56a3c52d03e373512ddd32f16b863f24c2e22f5a5ba2@%3Cdev.poi.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r588d05a0790b40a0eb81088252e1e8c1efb99706631421f17038eb05%40%3Cdev.poi.apache.org%3Eghsamailing-listWEB
- lists.apache.org/thread.html/r588d05a0790b40a0eb81088252e1e8c1efb99706631421f17038eb05@%3Cdev.poi.apache.org%3EghsaWEB
- lists.debian.org/debian-lts-announce/2023/10/msg00021.htmlghsamailing-listWEB
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JEDID4DAVPECE6O4QQCSIS75BLLBUUAMghsaWEB
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W7EAYO5XIHD6OIEA3HPK64UDDBSLNAC5ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JEDID4DAVPECE6O4QQCSIS75BLLBUUAMghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W7EAYO5XIHD6OIEA3HPK64UDDBSLNAC5ghsaWEB
- www.oracle.com//security-alerts/cpujul2021.htmlghsaWEB
- www.oracle.com/security-alerts/cpuApr2021.htmlghsaWEB
- www.oracle.com/security-alerts/cpujan2022.htmlghsaWEB
- www.oracle.com/security-alerts/cpujul2022.htmlghsaWEB
- www.oracle.com/security-alerts/cpuoct2021.htmlghsaWEB
- xmlgraphics.apache.org/security.htmlghsaWEB
News mentions
0No linked articles in our index yet.