{ "threat_severity" : "Moderate", "public_date" : "2021-02-24T00:00:00Z", "bugzilla" : { "description" : "xmlgraphics-commons: SSRF due to improper input validation by the XMPParser", "id" : "1933816", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1933816" }, "cvss3" : { "cvss3_base_score" : "8.2", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "status" : "verified" }, "cwe" : "CWE-918", "details" : [ "Apache XmlGraphics Commons 2.4 and earlier is vulnerable to server-side request forgery, caused by improper input validation by the XMPParser. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests. Users should upgrade to 2.6 or later." ], "statement" : "This flaw does not affect xmlgraphics-commons as shipped with Red Hat Enterprise Linux 8. It is out of support scope for Red Hat Enterprise Linux 6 and 7. To learn more about support scope for Red Hat Enterprise Linux, please see https://access.redhat.com/support/policy/updates/errata/ .", "affected_release" : [ { "product_name" : "Red Hat Fuse 7.10", "release_date" : "2021-12-14T00:00:00Z", "advisory" : "RHSA-2021:5134", "cpe" : "cpe:/a:redhat:jboss_fuse:7", "package" : "xmlgraphics-commons" }, { "product_name" : "RHDM 7.11.0", "release_date" : "2021-06-17T00:00:00Z", "advisory" : "RHSA-2021:2476", "cpe" : "cpe:/a:redhat:jboss_enterprise_brms_platform:7.11", "package" : "xmlgraphics-commons" }, { "product_name" : "RHPAM 7.11.0", "release_date" : "2021-06-17T00:00:00Z", "advisory" : "RHSA-2021:2475", "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7.11", "package" : "xmlgraphics-commons" } ], "package_state" : [ { "product_name" : "Red Hat BPM Suite 6", "fix_state" : "Out of support scope", "package_name" : "xmlgraphics-commons", "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Out of support scope", "package_name" : "xmlgraphics-commons", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Out of support scope", "package_name" : "xmlgraphics-commons", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "eclipse", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Affected", "package_name" : "xmlgraphics-commons", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Integration Camel K 1", "fix_state" : "Not affected", "package_name" : "xmlgraphics-commons", "cpe" : "cpe:/a:redhat:integration:1" }, { "product_name" : "Red Hat JBoss BRMS 5", "fix_state" : "Out of support scope", "package_name" : "xmlgraphics-commons", "cpe" : "cpe:/a:redhat:jboss_enterprise_brms_platform:5" }, { "product_name" : "Red Hat JBoss Fuse 6", "fix_state" : "Out of support scope", "package_name" : "xmlgraphics-commons", "cpe" : "cpe:/a:redhat:jboss_fuse:6" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2020-11988\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-11988\nhttps://xmlgraphics.apache.org/security.html" ], "name" : "CVE-2020-11988", "mitigation" : { "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", "lang" : "en:us" }, "csaw" : false }