{"containers":{"cna":{"affected":[{"product":"Apache XmlGraphics Commons","vendor":"n/a","versions":[{"lessThan":"2.6","status":"affected","version":"Apache XmlGraphics Commons","versionType":"custom"}]}],"descriptions":[{"lang":"en","value":"Apache XmlGraphics Commons 2.4 and earlier is vulnerable to server-side request forgery, caused by improper input validation by the XMPParser. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests. Users should upgrade to 2.6 or later."}],"problemTypes":[{"descriptions":[{"description":"Information Disclosure","lang":"en","type":"text"}]}],"providerMetadata":{"dateUpdated":"2022-01-04T12:29:48.000Z","orgId":"f0158376-9dc2-43b6-827c-5f631a4d8d09","shortName":"apache"},"references":[{"tags":["x_refsource_MISC"],"url":"https://xmlgraphics.apache.org/security.html"},{"name":"[poi-dev] 20210304 [Bug 65166] New: Apache Batik 1.13 vulnerabilities (CVE-2020-11987, CVE-2020-11988)","tags":["mailing-list","x_refsource_MLIST"],"url":"https://lists.apache.org/thread.html/r588d05a0790b40a0eb81088252e1e8c1efb99706631421f17038eb05%40%3Cdev.poi.apache.org%3E"},{"name":"[jmeter-dev] 20210305 [GitHub] [jmeter] sseide opened a new pull request #648: update xmlgraphics-commons to 2.6 (from 2.3)","tags":["mailing-list","x_refsource_MLIST"],"url":"https://lists.apache.org/thread.html/ra8f4d6ae402ec020ee3e8c28632c91be131c4d8b4c9c6756a179b12b%40%3Cdev.jmeter.apache.org%3E"},{"name":"[poi-dev] 20210308 [Bug 65166] Apache Batik 1.13 vulnerabilities (CVE-2020-11987, CVE-2020-11988)","tags":["mailing-list","x_refsource_MLIST"],"url":"https://lists.apache.org/thread.html/r2877ae10e8be56a3c52d03e373512ddd32f16b863f24c2e22f5a5ba2%40%3Cdev.poi.apache.org%3E"},{"name":"FEDORA-2021-aa2936e810","tags":["vendor-advisory","x_refsource_FEDORA"],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JP4XA56DA3BFNRBBLBXM6ZAI5RUVFA33/"},{"name":"FEDORA-2021-c07a9e79cf","tags":["vendor-advisory","x_refsource_FEDORA"],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22HESSYU7T4D6GGENUVEX3X3H6FGBECH/"},{"tags":["x_refsource_MISC"],"url":"https://www.oracle.com//security-alerts/cpujul2021.html"},{"tags":["x_refsource_MISC"],"url":"https://www.oracle.com/security-alerts/cpuoct2021.html"}],"x_legacyV4Record":{"CVE_data_meta":{"ASSIGNER":"security@apache.org","ID":"CVE-2020-11988","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"Apache XmlGraphics Commons","version":{"version_data":[{"version_affected":"<","version_name":"Apache XmlGraphics Commons","version_value":"2.6"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"Apache XmlGraphics Commons 2.4 and earlier is vulnerable to server-side request forgery, caused by improper input validation by the XMPParser. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests. Users should upgrade to 2.6 or later."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"Information Disclosure"}]}]},"references":{"reference_data":[{"name":"https://xmlgraphics.apache.org/security.html","refsource":"MISC","url":"https://xmlgraphics.apache.org/security.html"},{"name":"[poi-dev] 20210304 [Bug 65166] New: Apache Batik 1.13 vulnerabilities (CVE-2020-11987, CVE-2020-11988)","refsource":"MLIST","url":"https://lists.apache.org/thread.html/r588d05a0790b40a0eb81088252e1e8c1efb99706631421f17038eb05@%3Cdev.poi.apache.org%3E"},{"name":"[jmeter-dev] 20210305 [GitHub] [jmeter] sseide opened a new pull request #648: update xmlgraphics-commons to 2.6 (from 2.3)","refsource":"MLIST","url":"https://lists.apache.org/thread.html/ra8f4d6ae402ec020ee3e8c28632c91be131c4d8b4c9c6756a179b12b@%3Cdev.jmeter.apache.org%3E"},{"name":"[poi-dev] 20210308 [Bug 65166] Apache Batik 1.13 vulnerabilities (CVE-2020-11987, CVE-2020-11988)","refsource":"MLIST","url":"https://lists.apache.org/thread.html/r2877ae10e8be56a3c52d03e373512ddd32f16b863f24c2e22f5a5ba2@%3Cdev.poi.apache.org%3E"},{"name":"FEDORA-2021-aa2936e810","refsource":"FEDORA","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JP4XA56DA3BFNRBBLBXM6ZAI5RUVFA33/"},{"name":"FEDORA-2021-c07a9e79cf","refsource":"FEDORA","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22HESSYU7T4D6GGENUVEX3X3H6FGBECH/"},{"name":"https://www.oracle.com//security-alerts/cpujul2021.html","refsource":"MISC","url":"https://www.oracle.com//security-alerts/cpujul2021.html"},{"name":"https://www.oracle.com/security-alerts/cpuoct2021.html","refsource":"MISC","url":"https://www.oracle.com/security-alerts/cpuoct2021.html"}]}}},"adp":[{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-04T11:48:57.553Z"},"title":"CVE Program Container","references":[{"tags":["x_refsource_MISC","x_transferred"],"url":"https://xmlgraphics.apache.org/security.html"},{"name":"[poi-dev] 20210304 [Bug 65166] New: Apache Batik 1.13 vulnerabilities (CVE-2020-11987, CVE-2020-11988)","tags":["mailing-list","x_refsource_MLIST","x_transferred"],"url":"https://lists.apache.org/thread.html/r588d05a0790b40a0eb81088252e1e8c1efb99706631421f17038eb05%40%3Cdev.poi.apache.org%3E"},{"name":"[jmeter-dev] 20210305 [GitHub] [jmeter] sseide opened a new pull request #648: update xmlgraphics-commons to 2.6 (from 2.3)","tags":["mailing-list","x_refsource_MLIST","x_transferred"],"url":"https://lists.apache.org/thread.html/ra8f4d6ae402ec020ee3e8c28632c91be131c4d8b4c9c6756a179b12b%40%3Cdev.jmeter.apache.org%3E"},{"name":"[poi-dev] 20210308 [Bug 65166] Apache Batik 1.13 vulnerabilities (CVE-2020-11987, CVE-2020-11988)","tags":["mailing-list","x_refsource_MLIST","x_transferred"],"url":"https://lists.apache.org/thread.html/r2877ae10e8be56a3c52d03e373512ddd32f16b863f24c2e22f5a5ba2%40%3Cdev.poi.apache.org%3E"},{"name":"FEDORA-2021-aa2936e810","tags":["vendor-advisory","x_refsource_FEDORA","x_transferred"],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JP4XA56DA3BFNRBBLBXM6ZAI5RUVFA33/"},{"name":"FEDORA-2021-c07a9e79cf","tags":["vendor-advisory","x_refsource_FEDORA","x_transferred"],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22HESSYU7T4D6GGENUVEX3X3H6FGBECH/"},{"tags":["x_refsource_MISC","x_transferred"],"url":"https://www.oracle.com//security-alerts/cpujul2021.html"},{"tags":["x_refsource_MISC","x_transferred"],"url":"https://www.oracle.com/security-alerts/cpuoct2021.html"}]}]},"cveMetadata":{"assignerOrgId":"f0158376-9dc2-43b6-827c-5f631a4d8d09","assignerShortName":"apache","cveId":"CVE-2020-11988","datePublished":"2021-02-24T17:05:39.000Z","dateReserved":"2020-04-21T00:00:00.000Z","dateUpdated":"2024-08-04T11:48:57.553Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.1"}