{
  "threat_severity" : "Moderate",
  "public_date" : "2020-06-15T00:00:00Z",
  "bugzilla" : {
    "description" : "batik: SSRF via \"xlink:href\"",
    "id" : "1848617",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1848617"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-352",
  "details" : [ "Apache Batik is vulnerable to server-side request forgery, caused by improper input validation by the \"xlink:href\" attributes. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests.", "A flaw was found in the Apache Batik library, where it is vulnerable to a Server-Side Request Forgery attack (SSRF) via \"xlink:href\" attributes. This flaw allows an attacker to cause the underlying server to make arbitrary GET requests. The highest threat from this vulnerability is to system integrity." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Fuse 7.8.0",
    "release_date" : "2020-12-16T00:00:00Z",
    "advisory" : "RHSA-2020:5568",
    "cpe" : "cpe:/a:redhat:jboss_fuse:7",
    "package" : "batik"
  }, {
    "product_name" : "RHDM 7.9.0",
    "release_date" : "2020-11-05T00:00:00Z",
    "advisory" : "RHSA-2020:4960",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_brms_platform:7.9",
    "package" : "batik"
  }, {
    "product_name" : "RHPAM 7.9.0",
    "release_date" : "2020-11-05T00:00:00Z",
    "advisory" : "RHSA-2020:4961",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7.9",
    "package" : "batik"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat BPM Suite 6",
    "fix_state" : "Out of support scope",
    "package_name" : "batik",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "batik",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Will not fix",
    "package_name" : "batik",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "eclipse",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat JBoss BRMS 6",
    "fix_state" : "Out of support scope",
    "package_name" : "batik",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_brms_platform:6"
  }, {
    "product_name" : "Red Hat JBoss Fuse 6",
    "fix_state" : "Out of support scope",
    "package_name" : "batik",
    "cpe" : "cpe:/a:redhat:jboss_fuse:6"
  }, {
    "product_name" : "Red Hat JBoss Fuse Service Works 6",
    "fix_state" : "Out of support scope",
    "package_name" : "batik",
    "cpe" : "cpe:/a:redhat:jboss_fuse_service_works:6"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2019-17566\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-17566" ],
  "name" : "CVE-2019-17566",
  "csaw" : false
}