Bug 1933816 (CVE-2020-11988) - CVE-2020-11988 xmlgraphics-commons: SSRF due to improper input validation by the XMPParser
Summary: CVE-2020-11988 xmlgraphics-commons: SSRF due to improper input validation by ...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-11988
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1933817 1933818 1938380 1938381
Blocks: 1933819
TreeView+ depends on / blocked
 
Reported: 2021-03-01 19:07 UTC by Guilherme de Almeida Suckevicz
Modified: 2021-12-14 21:33 UTC (History)
43 users (show)

Fixed In Version: xmlgraphics-commons 2.6
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-06-17 15:04:09 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:2475 0 None None None 2021-06-17 13:15:31 UTC
Red Hat Product Errata RHSA-2021:2476 0 None None None 2021-06-17 13:19:48 UTC
Red Hat Product Errata RHSA-2021:5134 0 None None None 2021-12-14 21:33:55 UTC

Description Guilherme de Almeida Suckevicz 2021-03-01 19:07:13 UTC 
Apache XmlGraphics Commons 2.4 is vulnerable to server-side request forgery, caused by improper input validation by the XMPParser. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests.

References:
https://xmlgraphics.apache.org/security.html
https://www.openwall.com/lists/oss-security/2021/02/24/1
Comment 1 Guilherme de Almeida Suckevicz 2021-03-01 19:07:44 UTC 
Created eclipse tracking bugs for this issue:

Affects: fedora-all [bug 1933818]


Created xmlgraphics-commons tracking bugs for this issue:

Affects: fedora-all [bug 1933817]
Comment 9 Todd Cullum 2021-03-13 01:39:37 UTC 
Statement:

This flaw does not affect xmlgraphics-commons as shipped with Red Hat Enterprise Linux 8. It is out of support scope for Red Hat Enterprise Linux 6 and 7. To  learn more about support scope for Red Hat Enterprise Linux, please see https://access.redhat.com/support/policy/updates/errata/ .
Comment 11 Todd Cullum 2021-03-15 22:00:39 UTC 
Upstream patch commit: https://github.com/apache/xmlgraphics-commons/commit/57393912eb87b994c7fed39ddf30fb778a275183
Comment 12 Todd Cullum 2021-03-15 22:01:48 UTC 
External References:

https://xmlgraphics.apache.org/security.html
Comment 13 Todd Cullum 2021-03-15 22:01:51 UTC 
Mitigation:

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Comment 14 Todd Cullum 2021-03-15 22:07:05 UTC 
Flaw summary:

src/main/java/org/apache/xmlgraphics/xmp/XMPParser.java loaded external DTDs which could allow an malicious attacker to perform a server-side request forgery attack and execute arbitrary GET requests on the victim server. This could lead to compromise of data confidentiality and/or integrity.
Comment 17 errata-xmlrpc 2021-06-17 13:15:22 UTC 
This issue has been addressed in the following products:

  RHPAM 7.11.0

Via RHSA-2021:2475 https://access.redhat.com/errata/RHSA-2021:2475
Comment 18 errata-xmlrpc 2021-06-17 13:19:33 UTC 
This issue has been addressed in the following products:

  RHDM 7.11.0

Via RHSA-2021:2476 https://access.redhat.com/errata/RHSA-2021:2476
Comment 19 Product Security DevOps Team 2021-06-17 15:04:09 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-11988
Comment 20 errata-xmlrpc 2021-12-14 21:33:52 UTC 
This issue has been addressed in the following products:

  Red Hat Fuse 7.10

Via RHSA-2021:5134 https://access.redhat.com/errata/RHSA-2021:5134
Note You need to log in before you can comment on or make changes to this bug.