Apache XmlGraphics Commons 2.4 is vulnerable to server-side request forgery, caused by improper input validation by the XMPParser. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests. References: https://xmlgraphics.apache.org/security.html https://www.openwall.com/lists/oss-security/2021/02/24/1
Created eclipse tracking bugs for this issue: Affects: fedora-all [bug 1933818] Created xmlgraphics-commons tracking bugs for this issue: Affects: fedora-all [bug 1933817]
Statement: This flaw does not affect xmlgraphics-commons as shipped with Red Hat Enterprise Linux 8. It is out of support scope for Red Hat Enterprise Linux 6 and 7. To learn more about support scope for Red Hat Enterprise Linux, please see https://access.redhat.com/support/policy/updates/errata/ .
Upstream patch commit: https://github.com/apache/xmlgraphics-commons/commit/57393912eb87b994c7fed39ddf30fb778a275183
External References: https://xmlgraphics.apache.org/security.html
Mitigation: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Flaw summary: src/main/java/org/apache/xmlgraphics/xmp/XMPParser.java loaded external DTDs which could allow an malicious attacker to perform a server-side request forgery attack and execute arbitrary GET requests on the victim server. This could lead to compromise of data confidentiality and/or integrity.
This issue has been addressed in the following products: RHPAM 7.11.0 Via RHSA-2021:2475 https://access.redhat.com/errata/RHSA-2021:2475
This issue has been addressed in the following products: RHDM 7.11.0 Via RHSA-2021:2476 https://access.redhat.com/errata/RHSA-2021:2476
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-11988
This issue has been addressed in the following products: Red Hat Fuse 7.10 Via RHSA-2021:5134 https://access.redhat.com/errata/RHSA-2021:5134