{
  "threat_severity" : "Moderate",
  "public_date" : "2021-02-24T00:00:00Z",
  "bugzilla" : {
    "description" : "batik: SSRF due to improper input validation by the NodePickerPanel",
    "id" : "1933808",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1933808"
  },
  "cvss3" : {
    "cvss3_base_score" : "8.2",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-918",
  "details" : [ "Apache Batik 1.13 is vulnerable to server-side request forgery, caused by improper input validation by the NodePickerPanel. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Fuse 7.10",
    "release_date" : "2021-12-14T00:00:00Z",
    "advisory" : "RHSA-2021:5134",
    "cpe" : "cpe:/a:redhat:jboss_fuse:7",
    "package" : "batik",
    "impact" : "low"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "batik",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "batik",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "eclipse:rhel8/batik",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "impact" : "low"
  }, {
    "product_name" : "Red Hat JBoss Fuse 6",
    "fix_state" : "Out of support scope",
    "package_name" : "batik",
    "cpe" : "cpe:/a:redhat:jboss_fuse:6"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2020-11987\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-11987\nhttps://xmlgraphics.apache.org/security.html" ],
  "name" : "CVE-2020-11987",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}