Server-side request forgery (SSRF) in Apache Batik
High severity
GitHub Reviewed
Published
Jan 6, 2022
to the GitHub Advisory Database
•
Updated Jan 8, 2024
Package
Affected versions
< 1.14
Patched versions
1.14
Description
Published by the National Vulnerability Database
Feb 24, 2021
Reviewed
Mar 26, 2021
Published to the GitHub Advisory Database
Jan 6, 2022
Last updated
Jan 8, 2024
Credits
-
jkmartindale Analyst
Apache Batik 1.13 is vulnerable to server-side request forgery, caused by improper input validation by the NodePickerPanel. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests.
References