[Bug 1933816] New: CVE-2020-11988 xmlgraphics-commons: SSRF due to improper input validation by the XMPParser
https://bugzilla.redhat.com/show_bug.cgi?id=1933816
Bug ID: 1933816 Summary: CVE-2020-11988 xmlgraphics-commons: SSRF due to improper input validation by the XMPParser Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team@redhat.com Reporter: gsuckevi@redhat.com CC: aileenc@redhat.com, akoufoud@redhat.com, akurtako@redhat.com, alazarot@redhat.com, almorale@redhat.com, andjrobins@gmail.com, anstephe@redhat.com, bibryam@redhat.com, chazlett@redhat.com, dbhole@redhat.com, drieden@redhat.com, ebaron@redhat.com, eclipse-sig@lists.fedoraproject.org, etirelli@redhat.com, ganandan@redhat.com, ggaughan@redhat.com, gmalinko@redhat.com, hbraun@redhat.com, ibek@redhat.com, janstey@redhat.com, java-maint@redhat.com, jerboaa@gmail.com, jjohnstn@redhat.com, jkang@redhat.com, jochrist@redhat.com, jstastny@redhat.com, jwon@redhat.com, krathod@redhat.com, kverlaen@redhat.com, lef@fedoraproject.org, mat.booth@redhat.com, mcermak@redhat.com, mizdebsk@redhat.com, mnovotny@redhat.com, mprchlik@redhat.com, pantinor@redhat.com, patrickm@redhat.com, pjindal@redhat.com, rgrunber@redhat.com, rlandman@redhat.com, rrajasek@redhat.com, rsynek@redhat.com, sdaley@redhat.com, vkadlcik@redhat.com Target Milestone: --- Classification: Other
Apache XmlGraphics Commons 2.4 is vulnerable to server-side request forgery, caused by improper input validation by the XMPParser. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests.
References: https://xmlgraphics.apache.org/security.html https://www.openwall.com/lists/oss-security/2021/02/24/1
https://bugzilla.redhat.com/show_bug.cgi?id=1933816
Guilherme de Almeida Suckevicz gsuckevi@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1933818, 1933817
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1933817 [Bug 1933817] CVE-2020-11988 xmlgraphics-commons: SSRF due to improper input validation by the XMPParser [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1933818 [Bug 1933818] CVE-2020-11988 eclipse: xmlgraphics-commons: SSRF due to improper input validation by the XMPParser [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1933816
--- Comment #1 from Guilherme de Almeida Suckevicz gsuckevi@redhat.com --- Created eclipse tracking bugs for this issue:
Affects: fedora-all [bug 1933818]
Created xmlgraphics-commons tracking bugs for this issue:
Affects: fedora-all [bug 1933817]
https://bugzilla.redhat.com/show_bug.cgi?id=1933816
Todd Cullum tcullum@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1938381, 1938380
https://bugzilla.redhat.com/show_bug.cgi?id=1933816
--- Comment #9 from Todd Cullum tcullum@redhat.com --- Statement:
This flaw does not affect xmlgraphics-commons as shipped with Red Hat Enterprise Linux 8. It is out of support scope for Red Hat Enterprise Linux 6 and 7. To learn more about support scope for Red Hat Enterprise Linux, please see https://access.redhat.com/support/policy/updates/errata/ .
https://bugzilla.redhat.com/show_bug.cgi?id=1933816
Todd Cullum tcullum@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Fixed In Version| |xmlgraphics-commons 2.6
https://bugzilla.redhat.com/show_bug.cgi?id=1933816
--- Comment #11 from Todd Cullum tcullum@redhat.com --- Upstream patch commit: https://github.com/apache/xmlgraphics-commons/commit/57393912eb87b994c7fed39...
https://bugzilla.redhat.com/show_bug.cgi?id=1933816
--- Comment #12 from Todd Cullum tcullum@redhat.com --- External References:
https://xmlgraphics.apache.org/security.html
https://bugzilla.redhat.com/show_bug.cgi?id=1933816
--- Comment #13 from Todd Cullum tcullum@redhat.com --- Mitigation:
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
https://bugzilla.redhat.com/show_bug.cgi?id=1933816
--- Comment #14 from Todd Cullum tcullum@redhat.com --- Flaw summary:
src/main/java/org/apache/xmlgraphics/xmp/XMPParser.java loaded external DTDs which could allow an malicious attacker to perform a server-side request forgery attack and execute arbitrary GET requests on the victim server. This could lead to compromise of data confidentiality and/or integrity.
https://bugzilla.redhat.com/show_bug.cgi?id=1933816 Bug 1933816 depends on bug 1933818, which changed state.
Bug 1933818 Summary: CVE-2020-11988 eclipse: xmlgraphics-commons: SSRF due to improper input validation by the XMPParser [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1933818
What |Removed |Added ---------------------------------------------------------------------------- Status|ON_QA |CLOSED Resolution|--- |ERRATA
https://bugzilla.redhat.com/show_bug.cgi?id=1933816
--- Comment #17 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
RHPAM 7.11.0
Via RHSA-2021:2475 https://access.redhat.com/errata/RHSA-2021:2475
https://bugzilla.redhat.com/show_bug.cgi?id=1933816
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2021:2475
https://bugzilla.redhat.com/show_bug.cgi?id=1933816
--- Comment #18 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
RHDM 7.11.0
Via RHSA-2021:2476 https://access.redhat.com/errata/RHSA-2021:2476
https://bugzilla.redhat.com/show_bug.cgi?id=1933816
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2021:2476
https://bugzilla.redhat.com/show_bug.cgi?id=1933816
Product Security DevOps Team prodsec-dev@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |ERRATA Last Closed| |2021-06-17 15:04:09
--- Comment #19 from Product Security DevOps Team prodsec-dev@redhat.com --- This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):
https://access.redhat.com/security/cve/cve-2020-11988
https://bugzilla.redhat.com/show_bug.cgi?id=1933816 Bug 1933816 depends on bug 1933817, which changed state.
Bug 1933817 Summary: CVE-2020-11988 xmlgraphics-commons: SSRF due to improper input validation by the XMPParser [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1933817
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |EOL
https://bugzilla.redhat.com/show_bug.cgi?id=1933816
--- Comment #20 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat Fuse 7.10
Via RHSA-2021:5134 https://access.redhat.com/errata/RHSA-2021:5134
https://bugzilla.redhat.com/show_bug.cgi?id=1933816
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2021:5134
eclipse-sig@lists.stg.fedoraproject.org
-
bugzilla@redhat.com