CVE-2019-17566
Last modified
CVE-2019-17566 is a high-severity vulnerability rated 7.5/10 on the CVSS scale. Apache Batik is vulnerable to server-side request forgery, caused by improper input validation by the "xlink:href" attributes. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests.. EPSS estimates a 10.74% chance of exploitation in the next 30 days.
Description
Apache Batik is vulnerable to server-side request forgery, caused by improper input validation by the "xlink:href" attributes. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Apache | Batik | < 1.13 |
| Oracle | Api Gateway | 11.1.2.4.0 |
| Oracle | Business Intelligence | 5.5.0.0.0 |
| Oracle | Business Intelligence | 5.9.0.0.0 |
| Oracle | Business Intelligence | 12.2.1.3.0 |
| Oracle | Business Intelligence | 12.2.1.4.0 |
| Oracle | Communications Application Session Controller | 3.9m0p2 |
| Oracle | Communications Metasolv Solution | >= 6.3.0, <= 6.3.1 |
| Oracle | Communications Offline Mediation Controller | 12.0.0.3.0 |
| Oracle | Enterprise Repository | 11.1.1.7.0 |
| Oracle | Financial Services Analytical Applications Infrastructure | >= 8.0.6, <= 8.1.0 |
| Oracle | Fusion Middleware Mapviewer | 12.2.1.4.0 |
| Oracle | Hospitality Opera 5 | 5.5 |
| Oracle | Hospitality Opera 5 | 5.6 |
| Oracle | Hyperion Financial Reporting | 11.1.2.4 |
| Oracle | Hyperion Financial Reporting | 11.2.5.0 |
| Oracle | Instantis Enterprisetrack | >= 17.1, <= 17.3 |
| Oracle | Jd Edwards Enterpriseone Tools | < 9.2.4.0 |
| Oracle | Jd Edwards Enterpriseone Tools | 9.2.4.2 |
| Oracle | Retail Integration Bus | 15.0.3 |
| Oracle | Retail Order Broker | 15.0 |
| Oracle | Retail Order Broker | 16.0 |
| Oracle | Retail Order Management System Cloud Service | 19.5 |
| Oracle | Retail Point-Of-Service | 14.1 |
| Oracle | Retail Returns Management | 14.1 |
References
- https://www.oracle.com//security-alerts/cpujul2021.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpuApr2021.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpujan2021.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpujan2022.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpujul2022.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpuoct2021.htmlPatch, Third Party Advisory
- https://xmlgraphics.apache.org/security.htmlVendor Advisory
- https://www.oracle.com//security-alerts/cpujul2021.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpuApr2021.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpujan2021.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpujan2022.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpujul2022.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpuoct2021.htmlPatch, Third Party Advisory
- https://xmlgraphics.apache.org/security.htmlVendor Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2019-17566?
How severe is CVE-2019-17566?
How do I fix CVE-2019-17566?
Are you affected by CVE-2019-17566?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST