cvelistv5 - CVE-2023-24813

CVE-2023-24813

Vulnerability from cvelistv5

Published

2023-02-07 18:05

Modified

2025-03-10 21:15

Severity ?

10.0 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Summary

Dompdf is an HTML to PDF converter written in php. Due to the difference in the attribute parser of Dompdf and php-svg-lib, an attacker can still call arbitrary URLs with arbitrary protocols. Dompdf parses the href attribute of `image` tags and respects `xlink:href` even if `href` is specified. However, php-svg-lib, which is later used to parse the svg file, parses the href attribute. Since `href` is respected if both `xlink:href` and `href` is specified, it's possible to bypass the protection on the Dompdf side by providing an empty `xlink:href` attribute. An attacker can exploit the vulnerability to call arbitrary URLs with arbitrary protocols if they provide an SVG file to the Dompdf. In PHP versions before 8.0.0, it leads to arbitrary unserialize, which will lead, at the very least, to arbitrary file deletion and might lead to remote code execution, depending on available classes. This vulnerability has been addressed in commit `95009ea98` which has been included in release version 2.0.3. Users are advised to upgrade. There are no known workarounds for this vulnerability.

References

URL	Tags
security-advisories@github.com	https://github.com/dompdf/dompdf/commit/95009ea98230f9b084b040c34e3869ef3dccc9aa	Patch, Vendor Advisory
security-advisories@github.com	https://github.com/dompdf/dompdf/security/advisories/GHSA-56gj-mvh6-rp75	Exploit, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/dompdf/dompdf/commit/95009ea98230f9b084b040c34e3869ef3dccc9aa	Patch, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/dompdf/dompdf/security/advisories/GHSA-56gj-mvh6-rp75	Exploit, Vendor Advisory

Impacted products

	Vendor	Product	Version
	dompdf	dompdf	Version: = 2.0.2

Show details on NVD website

JSON

To clipboard

{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-02T11:03:19.250Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  name: "https://github.com/dompdf/dompdf/security/advisories/GHSA-56gj-mvh6-rp75",
                  tags: [
                     "x_refsource_CONFIRM",
                     "x_transferred",
                  ],
                  url: "https://github.com/dompdf/dompdf/security/advisories/GHSA-56gj-mvh6-rp75",
               },
               {
                  name: "https://github.com/dompdf/dompdf/commit/95009ea98230f9b084b040c34e3869ef3dccc9aa",
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://github.com/dompdf/dompdf/commit/95009ea98230f9b084b040c34e3869ef3dccc9aa",
               },
            ],
            title: "CVE Program Container",
         },
         {
            metrics: [
               {
                  other: {
                     content: {
                        id: "CVE-2023-24813",
                        options: [
                           {
                              Exploitation: "poc",
                           },
                           {
                              Automatable: "yes",
                           },
                           {
                              "Technical Impact": "total",
                           },
                        ],
                        role: "CISA Coordinator",
                        timestamp: "2025-03-10T21:02:26.149057Z",
                        version: "2.0.3",
                     },
                     type: "ssvc",
                  },
               },
            ],
            providerMetadata: {
               dateUpdated: "2025-03-10T21:15:40.002Z",
               orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0",
               shortName: "CISA-ADP",
            },
            title: "CISA ADP Vulnrichment",
         },
      ],
      cna: {
         affected: [
            {
               product: "dompdf",
               vendor: "dompdf",
               versions: [
                  {
                     status: "affected",
                     version: "= 2.0.2",
                  },
               ],
            },
         ],
         descriptions: [
            {
               lang: "en",
               value: "Dompdf is an HTML to PDF converter written in php. Due to the difference in the attribute parser of Dompdf and php-svg-lib, an attacker can still call arbitrary URLs with arbitrary protocols. Dompdf parses the href attribute of `image` tags and respects `xlink:href` even if `href` is specified. However, php-svg-lib, which is later used to parse the svg file, parses the href attribute. Since `href` is respected if both `xlink:href` and `href` is specified, it's possible to bypass the protection on the Dompdf side by providing an empty `xlink:href` attribute. An attacker can exploit the vulnerability to call arbitrary URLs with arbitrary protocols if they provide an SVG file to the Dompdf. In PHP versions before 8.0.0, it leads to arbitrary unserialize, which will lead, at the very least, to arbitrary file deletion and might lead to remote code execution, depending on available classes. This vulnerability has been addressed in commit `95009ea98` which has been included in release version 2.0.3. Users are advised to upgrade. There are no known workarounds for this vulnerability.",
            },
         ],
         metrics: [
            {
               cvssV3_1: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "HIGH",
                  baseScore: 10,
                  baseSeverity: "CRITICAL",
                  confidentialityImpact: "HIGH",
                  integrityImpact: "HIGH",
                  privilegesRequired: "NONE",
                  scope: "CHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
                  version: "3.1",
               },
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     cweId: "CWE-436",
                     description: "CWE-436: Interpretation Conflict",
                     lang: "en",
                     type: "CWE",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2023-02-07T18:05:14.541Z",
            orgId: "a0819718-46f1-4df5-94e2-005712e83aaa",
            shortName: "GitHub_M",
         },
         references: [
            {
               name: "https://github.com/dompdf/dompdf/security/advisories/GHSA-56gj-mvh6-rp75",
               tags: [
                  "x_refsource_CONFIRM",
               ],
               url: "https://github.com/dompdf/dompdf/security/advisories/GHSA-56gj-mvh6-rp75",
            },
            {
               name: "https://github.com/dompdf/dompdf/commit/95009ea98230f9b084b040c34e3869ef3dccc9aa",
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://github.com/dompdf/dompdf/commit/95009ea98230f9b084b040c34e3869ef3dccc9aa",
            },
         ],
         source: {
            advisory: "GHSA-56gj-mvh6-rp75",
            discovery: "UNKNOWN",
         },
         title: "URI validation failure on SVG parsing. Bypass of CVE-2023-23924",
      },
   },
   cveMetadata: {
      assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa",
      assignerShortName: "GitHub_M",
      cveId: "CVE-2023-24813",
      datePublished: "2023-02-07T18:05:14.541Z",
      dateReserved: "2023-01-30T14:43:33.704Z",
      dateUpdated: "2025-03-10T21:15:40.002Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
   "vulnerability-lookup:meta": {
      nvd: "{\"cve\":{\"id\":\"CVE-2023-24813\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2023-02-07T19:15:09.393\",\"lastModified\":\"2024-11-21T07:48:26.770\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Dompdf is an HTML to PDF converter written in php. Due to the difference in the attribute parser of Dompdf and php-svg-lib, an attacker can still call arbitrary URLs with arbitrary protocols. Dompdf parses the href attribute of `image` tags and respects `xlink:href` even if `href` is specified. However, php-svg-lib, which is later used to parse the svg file, parses the href attribute. Since `href` is respected if both `xlink:href` and `href` is specified, it's possible to bypass the protection on the Dompdf side by providing an empty `xlink:href` attribute. An attacker can exploit the vulnerability to call arbitrary URLs with arbitrary protocols if they provide an SVG file to the Dompdf. In PHP versions before 8.0.0, it leads to arbitrary unserialize, which will lead, at the very least, to arbitrary file deletion and might lead to remote code execution, depending on available classes. This vulnerability has been addressed in commit `95009ea98` which has been included in release version 2.0.3. Users are advised to upgrade. There are no known workarounds for this vulnerability.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\",\"baseScore\":10.0,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":6.0},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-436\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:dompdf_project:dompdf:2.0.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"FC8AD8A6-BF3D-4457-A3F1-31C8EBF74B03\"}]}]}],\"references\":[{\"url\":\"https://github.com/dompdf/dompdf/commit/95009ea98230f9b084b040c34e3869ef3dccc9aa\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/dompdf/dompdf/security/advisories/GHSA-56gj-mvh6-rp75\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/dompdf/dompdf/commit/95009ea98230f9b084b040c34e3869ef3dccc9aa\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/dompdf/dompdf/security/advisories/GHSA-56gj-mvh6-rp75\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}",
      vulnrichment: {
         containers: "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/dompdf/dompdf/security/advisories/GHSA-56gj-mvh6-rp75\", \"name\": \"https://github.com/dompdf/dompdf/security/advisories/GHSA-56gj-mvh6-rp75\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"]}, {\"url\": \"https://github.com/dompdf/dompdf/commit/95009ea98230f9b084b040c34e3869ef3dccc9aa\", \"name\": \"https://github.com/dompdf/dompdf/commit/95009ea98230f9b084b040c34e3869ef3dccc9aa\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T11:03:19.250Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-24813\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-03-10T21:02:26.149057Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-03-10T21:02:27.389Z\"}}], \"cna\": {\"title\": \"URI validation failure on SVG parsing. Bypass of CVE-2023-23924\", \"source\": {\"advisory\": \"GHSA-56gj-mvh6-rp75\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 10, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"dompdf\", \"product\": \"dompdf\", \"versions\": [{\"status\": \"affected\", \"version\": \"= 2.0.2\"}]}], \"references\": [{\"url\": \"https://github.com/dompdf/dompdf/security/advisories/GHSA-56gj-mvh6-rp75\", \"name\": \"https://github.com/dompdf/dompdf/security/advisories/GHSA-56gj-mvh6-rp75\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/dompdf/dompdf/commit/95009ea98230f9b084b040c34e3869ef3dccc9aa\", \"name\": \"https://github.com/dompdf/dompdf/commit/95009ea98230f9b084b040c34e3869ef3dccc9aa\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Dompdf is an HTML to PDF converter written in php. Due to the difference in the attribute parser of Dompdf and php-svg-lib, an attacker can still call arbitrary URLs with arbitrary protocols. Dompdf parses the href attribute of `image` tags and respects `xlink:href` even if `href` is specified. However, php-svg-lib, which is later used to parse the svg file, parses the href attribute. Since `href` is respected if both `xlink:href` and `href` is specified, it's possible to bypass the protection on the Dompdf side by providing an empty `xlink:href` attribute. An attacker can exploit the vulnerability to call arbitrary URLs with arbitrary protocols if they provide an SVG file to the Dompdf. In PHP versions before 8.0.0, it leads to arbitrary unserialize, which will lead, at the very least, to arbitrary file deletion and might lead to remote code execution, depending on available classes. This vulnerability has been addressed in commit `95009ea98` which has been included in release version 2.0.3. Users are advised to upgrade. There are no known workarounds for this vulnerability.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-436\", \"description\": \"CWE-436: Interpretation Conflict\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2023-02-07T18:05:14.541Z\"}}}",
         cveMetadata: "{\"cveId\": \"CVE-2023-24813\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-03-10T21:15:40.002Z\", \"dateReserved\": \"2023-01-30T14:43:33.704Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2023-02-07T18:05:14.541Z\", \"assignerShortName\": \"GitHub_M\"}",
         dataType: "CVE_RECORD",
         dataVersion: "5.1",
      },
   },
}

ghsa-56gj-mvh6-rp75

Vulnerability from github

Published

2023-02-07 18:16

Modified

2023-02-08 16:18

Severity ?

10.0 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Summary

URI validation failure on SVG parsing. Bypass of CVE-2023-23924

Details

Summary

Due to the difference in the attribute parser of Dompdf and php-svg-lib, an attacker can still call arbitrary URLs with arbitrary protocols.

Details

Dompdf parses the href attribute of image tags with the following code:

src/Image/Cache.php line 135-150 php function ($parser, $name, $attributes) use ($options, $parsed_url, $full_url) { if (strtolower($name) === "image") { $attributes = array_change_key_case($attributes, CASE_LOWER); $url = $attributes["xlink:href"] ?? $attributes["href"]; if (!empty($url)) { $inner_full_url = Helpers::build_url($parsed_url["protocol"], $parsed_url["host"], $parsed_url["path"], $url); if ($inner_full_url === $full_url) { throw new ImageException("SVG self-reference is not allowed", E_WARNING); } [$resolved_url, $type, $message] = self::resolve_url($url, $parsed_url["protocol"], $parsed_url["host"], $parsed_url["path"], $options); if (!empty($message)) { throw new ImageException("This SVG document references a restricted resource. $message", E_WARNING); } } } },

As you can see from the code snippet above, it respects xlink:href even if href is specified. php $url = $attributes["xlink:href"] ?? $attributes["href"];

However, php-svg-lib, which is later used to parse the svg file, parses the href attribute with the following code:

src/Svg/Tag/Image.php line 51-57 ``` php if (isset($attributes['xlink:href'])) { $this->href = $attributes['xlink:href']; }

if (isset($attributes['href'])) { $this->href = $attributes['href']; } ```

Since href is respected if both xlink:href and href is specified, it's possible to bypass the protection on the Dompdf side by providing an empty xlink:href attribute.

Impact

An attacker can exploit the vulnerability to call arbitrary URLs with arbitrary protocols if they provide an SVG file to the Dompdf. In PHP versions before 8.0.0, it leads to arbitrary unserialize, which will lead, at the very least, to arbitrary file deletion and might lead to remote code execution, depending on available classes.

Show details on source website

JSON

To clipboard

{
   affected: [
      {
         package: {
            ecosystem: "Packagist",
            name: "dompdf/dompdf",
         },
         ranges: [
            {
               events: [
                  {
                     introduced: "2.0.2",
                  },
                  {
                     fixed: "2.0.3",
                  },
               ],
               type: "ECOSYSTEM",
            },
         ],
         versions: [
            "2.0.2",
         ],
      },
   ],
   aliases: [
      "CVE-2023-24813",
   ],
   database_specific: {
      cwe_ids: [
         "CWE-436",
      ],
      github_reviewed: true,
      github_reviewed_at: "2023-02-07T18:16:23Z",
      nvd_published_at: "2023-02-07T19:15:00Z",
      severity: "CRITICAL",
   },
   details: "### Summary\nDue to the difference in the attribute parser of Dompdf and php-svg-lib, an attacker can still call arbitrary URLs with arbitrary protocols.\n\n### Details\nDompdf parses the href attribute of `image` tags with the following code:\n\n[`src/Image/Cache.php` line 135-150](https://github.com/dompdf/dompdf/blob/2a8a6b80fcaa5148ace50f35a10979fe00c6a35d/src/Image/Cache.php#L135-L150)\n``` php\nfunction ($parser, $name, $attributes) use ($options, $parsed_url, $full_url) {\n    if (strtolower($name) === \"image\") {\n        $attributes = array_change_key_case($attributes, CASE_LOWER);\n        $url = $attributes[\"xlink:href\"] ?? $attributes[\"href\"];\n        if (!empty($url)) {\n            $inner_full_url = Helpers::build_url($parsed_url[\"protocol\"], $parsed_url[\"host\"], $parsed_url[\"path\"], $url);\n            if ($inner_full_url === $full_url) {\n                throw new ImageException(\"SVG self-reference is not allowed\", E_WARNING);\n            }\n            [$resolved_url, $type, $message] = self::resolve_url($url, $parsed_url[\"protocol\"], $parsed_url[\"host\"], $parsed_url[\"path\"], $options);\n            if (!empty($message)) {\n                throw new ImageException(\"This SVG document references a restricted resource. $message\", E_WARNING);\n            }\n        }\n    }\n},\n```\n\nAs you can see from the code snippet above, it respects `xlink:href` even if `href` is specified.\n``` php\n$url = $attributes[\"xlink:href\"] ?? $attributes[\"href\"];\n```\n\nHowever, php-svg-lib, which is later used to parse the svg file, parses the href attribute with the following code:\n\n[`src/Svg/Tag/Image.php` line 51-57](https://github.com/dompdf/php-svg-lib/blob/76876c6cf3080bcb6f249d7d59705108166a6685/src/Svg/Tag/Image.php#L51-L57)\n``` php\nif (isset($attributes['xlink:href'])) {\n    $this->href = $attributes['xlink:href'];\n}\n\nif (isset($attributes['href'])) {\n    $this->href = $attributes['href'];\n}\n```\n\nSince `href` is respected if both `xlink:href` and `href` is specified, it's possible to bypass the protection on the Dompdf side by providing an empty `xlink:href` attribute.\n\n### Impact\nAn attacker can exploit the vulnerability to call arbitrary URLs with arbitrary protocols if they provide an SVG file to the Dompdf. In PHP versions before 8.0.0, it leads to arbitrary unserialize, which will lead, at the very least, to arbitrary file deletion and might lead to remote code execution, depending on available classes.",
   id: "GHSA-56gj-mvh6-rp75",
   modified: "2023-02-08T16:18:55Z",
   published: "2023-02-07T18:16:23Z",
   references: [
      {
         type: "WEB",
         url: "https://github.com/dompdf/dompdf/security/advisories/GHSA-56gj-mvh6-rp75",
      },
      {
         type: "ADVISORY",
         url: "https://nvd.nist.gov/vuln/detail/CVE-2023-24813",
      },
      {
         type: "WEB",
         url: "https://github.com/dompdf/dompdf/commit/95009ea98230f9b084b040c34e3869ef3dccc9aa",
      },
      {
         type: "PACKAGE",
         url: "https://github.com/dompdf/dompdf",
      },
   ],
   schema_version: "1.4.0",
   severity: [
      {
         score: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
         type: "CVSS_V3",
      },
   ],
   summary: "URI validation failure on SVG parsing. Bypass of CVE-2023-23924",
}

gsd-2023-24813

Vulnerability from gsd

Modified

2023-12-13 01:20

Details

Aliases

CVE-2023-24813

Aliases

CVE-2023-24813

JSON

To clipboard

{
   GSD: {
      alias: "CVE-2023-24813",
      id: "GSD-2023-24813",
   },
   gsd: {
      metadata: {
         exploitCode: "unknown",
         remediation: "unknown",
         reportConfidence: "confirmed",
         type: "vulnerability",
      },
      osvSchema: {
         aliases: [
            "CVE-2023-24813",
         ],
         details: "Dompdf is an HTML to PDF converter written in php. Due to the difference in the attribute parser of Dompdf and php-svg-lib, an attacker can still call arbitrary URLs with arbitrary protocols. Dompdf parses the href attribute of `image` tags and respects `xlink:href` even if `href` is specified. However, php-svg-lib, which is later used to parse the svg file, parses the href attribute. Since `href` is respected if both `xlink:href` and `href` is specified, it's possible to bypass the protection on the Dompdf side by providing an empty `xlink:href` attribute. An attacker can exploit the vulnerability to call arbitrary URLs with arbitrary protocols if they provide an SVG file to the Dompdf. In PHP versions before 8.0.0, it leads to arbitrary unserialize, which will lead, at the very least, to arbitrary file deletion and might lead to remote code execution, depending on available classes. This vulnerability has been addressed in commit `95009ea98` which has been included in release version 2.0.3. Users are advised to upgrade. There are no known workarounds for this vulnerability.",
         id: "GSD-2023-24813",
         modified: "2023-12-13T01:20:58.114733Z",
         schema_version: "1.4.0",
      },
   },
   namespaces: {
      "cve.org": {
         CVE_data_meta: {
            ASSIGNER: "security-advisories@github.com",
            ID: "CVE-2023-24813",
            STATE: "PUBLIC",
         },
         affects: {
            vendor: {
               vendor_data: [
                  {
                     product: {
                        product_data: [
                           {
                              product_name: "dompdf",
                              version: {
                                 version_data: [
                                    {
                                       version_affected: "=",
                                       version_value: "= 2.0.2",
                                    },
                                 ],
                              },
                           },
                        ],
                     },
                     vendor_name: "dompdf",
                  },
               ],
            },
         },
         data_format: "MITRE",
         data_type: "CVE",
         data_version: "4.0",
         description: {
            description_data: [
               {
                  lang: "eng",
                  value: "Dompdf is an HTML to PDF converter written in php. Due to the difference in the attribute parser of Dompdf and php-svg-lib, an attacker can still call arbitrary URLs with arbitrary protocols. Dompdf parses the href attribute of `image` tags and respects `xlink:href` even if `href` is specified. However, php-svg-lib, which is later used to parse the svg file, parses the href attribute. Since `href` is respected if both `xlink:href` and `href` is specified, it's possible to bypass the protection on the Dompdf side by providing an empty `xlink:href` attribute. An attacker can exploit the vulnerability to call arbitrary URLs with arbitrary protocols if they provide an SVG file to the Dompdf. In PHP versions before 8.0.0, it leads to arbitrary unserialize, which will lead, at the very least, to arbitrary file deletion and might lead to remote code execution, depending on available classes. This vulnerability has been addressed in commit `95009ea98` which has been included in release version 2.0.3. Users are advised to upgrade. There are no known workarounds for this vulnerability.",
               },
            ],
         },
         impact: {
            cvss: [
               {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "HIGH",
                  baseScore: 10,
                  baseSeverity: "CRITICAL",
                  confidentialityImpact: "HIGH",
                  integrityImpact: "HIGH",
                  privilegesRequired: "NONE",
                  scope: "CHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
                  version: "3.1",
               },
            ],
         },
         problemtype: {
            problemtype_data: [
               {
                  description: [
                     {
                        cweId: "CWE-436",
                        lang: "eng",
                        value: "CWE-436: Interpretation Conflict",
                     },
                  ],
               },
            ],
         },
         references: {
            reference_data: [
               {
                  name: "https://github.com/dompdf/dompdf/security/advisories/GHSA-56gj-mvh6-rp75",
                  refsource: "MISC",
                  url: "https://github.com/dompdf/dompdf/security/advisories/GHSA-56gj-mvh6-rp75",
               },
               {
                  name: "https://github.com/dompdf/dompdf/commit/95009ea98230f9b084b040c34e3869ef3dccc9aa",
                  refsource: "MISC",
                  url: "https://github.com/dompdf/dompdf/commit/95009ea98230f9b084b040c34e3869ef3dccc9aa",
               },
            ],
         },
         source: {
            advisory: "GHSA-56gj-mvh6-rp75",
            discovery: "UNKNOWN",
         },
      },
      "gitlab.com": {
         advisories: [
            {
               affected_range: "=2.0.2",
               affected_versions: "Version 2.0.2",
               cvss_v3: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
               cwe_ids: [
                  "CWE-1035",
                  "CWE-436",
                  "CWE-937",
               ],
               date: "2023-02-16",
               description: "Dompdf is an HTML to PDF converter written in php. Due to the difference in the attribute parser of Dompdf and php-svg-lib, an attacker can still call arbitrary URLs with arbitrary protocols. Dompdf parses the href attribute of `image` tags and respects `xlink:href` even if `href` is specified. However, php-svg-lib, which is later used to parse the svg file, parses the href attribute. Since `href` is respected if both `xlink:href` and `href` is specified, it's possible to bypass the protection on the Dompdf side by providing an empty `xlink:href` attribute. An attacker can exploit the vulnerability to call arbitrary URLs with arbitrary protocols if they provide an SVG file to the Dompdf. In PHP versions before 8.0.0, it leads to arbitrary unserialize, which will lead, at the very least, to arbitrary file deletion and might lead to remote code execution, depending on available classes. This vulnerability has been addressed in commit `95009ea98` which has been included in release version 2.0.3. Users are advised to upgrade. There are no known workarounds for this vulnerability.",
               fixed_versions: [
                  "2.0.3",
               ],
               identifier: "CVE-2023-24813",
               identifiers: [
                  "CVE-2023-24813",
                  "GHSA-56gj-mvh6-rp75",
               ],
               not_impacted: "All versions before 2.0.2, all versions after 2.0.2",
               package_slug: "packagist/dompdf/dompdf",
               pubdate: "2023-02-07",
               solution: "Upgrade to version 2.0.3 or above.",
               title: "Interpretation Conflict",
               urls: [
                  "https://github.com/dompdf/dompdf/security/advisories/GHSA-56gj-mvh6-rp75",
                  "https://github.com/dompdf/dompdf/commit/95009ea98230f9b084b040c34e3869ef3dccc9aa",
                  "https://nvd.nist.gov/vuln/detail/CVE-2023-24813",
                  "https://github.com/advisories/GHSA-56gj-mvh6-rp75",
               ],
               uuid: "07f8784f-8d18-4b9d-b7fd-197bb17ff4c3",
            },
         ],
      },
      "nvd.nist.gov": {
         configurations: {
            CVE_data_version: "4.0",
            nodes: [
               {
                  children: [],
                  cpe_match: [
                     {
                        cpe23Uri: "cpe:2.3:a:dompdf_project:dompdf:2.0.2:*:*:*:*:*:*:*",
                        cpe_name: [],
                        vulnerable: true,
                     },
                  ],
                  operator: "OR",
               },
            ],
         },
         cve: {
            CVE_data_meta: {
               ASSIGNER: "security-advisories@github.com",
               ID: "CVE-2023-24813",
            },
            data_format: "MITRE",
            data_type: "CVE",
            data_version: "4.0",
            description: {
               description_data: [
                  {
                     lang: "en",
                     value: "Dompdf is an HTML to PDF converter written in php. Due to the difference in the attribute parser of Dompdf and php-svg-lib, an attacker can still call arbitrary URLs with arbitrary protocols. Dompdf parses the href attribute of `image` tags and respects `xlink:href` even if `href` is specified. However, php-svg-lib, which is later used to parse the svg file, parses the href attribute. Since `href` is respected if both `xlink:href` and `href` is specified, it's possible to bypass the protection on the Dompdf side by providing an empty `xlink:href` attribute. An attacker can exploit the vulnerability to call arbitrary URLs with arbitrary protocols if they provide an SVG file to the Dompdf. In PHP versions before 8.0.0, it leads to arbitrary unserialize, which will lead, at the very least, to arbitrary file deletion and might lead to remote code execution, depending on available classes. This vulnerability has been addressed in commit `95009ea98` which has been included in release version 2.0.3. Users are advised to upgrade. There are no known workarounds for this vulnerability.",
                  },
               ],
            },
            problemtype: {
               problemtype_data: [
                  {
                     description: [
                        {
                           lang: "en",
                           value: "CWE-436",
                        },
                     ],
                  },
               ],
            },
            references: {
               reference_data: [
                  {
                     name: "https://github.com/dompdf/dompdf/security/advisories/GHSA-56gj-mvh6-rp75",
                     refsource: "MISC",
                     tags: [
                        "Exploit",
                        "Vendor Advisory",
                     ],
                     url: "https://github.com/dompdf/dompdf/security/advisories/GHSA-56gj-mvh6-rp75",
                  },
                  {
                     name: "https://github.com/dompdf/dompdf/commit/95009ea98230f9b084b040c34e3869ef3dccc9aa",
                     refsource: "MISC",
                     tags: [
                        "Patch",
                        "Vendor Advisory",
                     ],
                     url: "https://github.com/dompdf/dompdf/commit/95009ea98230f9b084b040c34e3869ef3dccc9aa",
                  },
               ],
            },
         },
         impact: {
            baseMetricV3: {
               cvssV3: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "HIGH",
                  baseScore: 9.8,
                  baseSeverity: "CRITICAL",
                  confidentialityImpact: "HIGH",
                  integrityImpact: "HIGH",
                  privilegesRequired: "NONE",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                  version: "3.1",
               },
               exploitabilityScore: 3.9,
               impactScore: 5.9,
            },
         },
         lastModifiedDate: "2023-02-16T14:53Z",
         publishedDate: "2023-02-07T19:15Z",
      },
   },
}

fkie_cve-2023-24813

Vulnerability from fkie_nvd

Published

2023-02-07 19:15

Modified

2024-11-21 07:48

Severity ?

10.0 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/dompdf/dompdf/commit/95009ea98230f9b084b040c34e3869ef3dccc9aa	Patch, Vendor Advisory
security-advisories@github.com	https://github.com/dompdf/dompdf/security/advisories/GHSA-56gj-mvh6-rp75	Exploit, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/dompdf/dompdf/commit/95009ea98230f9b084b040c34e3869ef3dccc9aa	Patch, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/dompdf/dompdf/security/advisories/GHSA-56gj-mvh6-rp75	Exploit, Vendor Advisory

Impacted products

	Vendor	Product	Version
	dompdf_project	dompdf	2.0.2

JSON

To clipboard

{
   configurations: [
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:a:dompdf_project:dompdf:2.0.2:*:*:*:*:*:*:*",
                     matchCriteriaId: "FC8AD8A6-BF3D-4457-A3F1-31C8EBF74B03",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
      },
   ],
   cveTags: [],
   descriptions: [
      {
         lang: "en",
         value: "Dompdf is an HTML to PDF converter written in php. Due to the difference in the attribute parser of Dompdf and php-svg-lib, an attacker can still call arbitrary URLs with arbitrary protocols. Dompdf parses the href attribute of `image` tags and respects `xlink:href` even if `href` is specified. However, php-svg-lib, which is later used to parse the svg file, parses the href attribute. Since `href` is respected if both `xlink:href` and `href` is specified, it's possible to bypass the protection on the Dompdf side by providing an empty `xlink:href` attribute. An attacker can exploit the vulnerability to call arbitrary URLs with arbitrary protocols if they provide an SVG file to the Dompdf. In PHP versions before 8.0.0, it leads to arbitrary unserialize, which will lead, at the very least, to arbitrary file deletion and might lead to remote code execution, depending on available classes. This vulnerability has been addressed in commit `95009ea98` which has been included in release version 2.0.3. Users are advised to upgrade. There are no known workarounds for this vulnerability.",
      },
   ],
   id: "CVE-2023-24813",
   lastModified: "2024-11-21T07:48:26.770",
   metrics: {
      cvssMetricV31: [
         {
            cvssData: {
               attackComplexity: "LOW",
               attackVector: "NETWORK",
               availabilityImpact: "HIGH",
               baseScore: 10,
               baseSeverity: "CRITICAL",
               confidentialityImpact: "HIGH",
               integrityImpact: "HIGH",
               privilegesRequired: "NONE",
               scope: "CHANGED",
               userInteraction: "NONE",
               vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
               version: "3.1",
            },
            exploitabilityScore: 3.9,
            impactScore: 6,
            source: "security-advisories@github.com",
            type: "Secondary",
         },
         {
            cvssData: {
               attackComplexity: "LOW",
               attackVector: "NETWORK",
               availabilityImpact: "HIGH",
               baseScore: 9.8,
               baseSeverity: "CRITICAL",
               confidentialityImpact: "HIGH",
               integrityImpact: "HIGH",
               privilegesRequired: "NONE",
               scope: "UNCHANGED",
               userInteraction: "NONE",
               vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
               version: "3.1",
            },
            exploitabilityScore: 3.9,
            impactScore: 5.9,
            source: "nvd@nist.gov",
            type: "Primary",
         },
      ],
   },
   published: "2023-02-07T19:15:09.393",
   references: [
      {
         source: "security-advisories@github.com",
         tags: [
            "Patch",
            "Vendor Advisory",
         ],
         url: "https://github.com/dompdf/dompdf/commit/95009ea98230f9b084b040c34e3869ef3dccc9aa",
      },
      {
         source: "security-advisories@github.com",
         tags: [
            "Exploit",
            "Vendor Advisory",
         ],
         url: "https://github.com/dompdf/dompdf/security/advisories/GHSA-56gj-mvh6-rp75",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Patch",
            "Vendor Advisory",
         ],
         url: "https://github.com/dompdf/dompdf/commit/95009ea98230f9b084b040c34e3869ef3dccc9aa",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Exploit",
            "Vendor Advisory",
         ],
         url: "https://github.com/dompdf/dompdf/security/advisories/GHSA-56gj-mvh6-rp75",
      },
   ],
   sourceIdentifier: "security-advisories@github.com",
   vulnStatus: "Modified",
   weaknesses: [
      {
         description: [
            {
               lang: "en",
               value: "CWE-436",
            },
         ],
         source: "security-advisories@github.com",
         type: "Primary",
      },
   ],
}

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2023-24813

Vulnerability from cvelistv5

ghsa-56gj-mvh6-rp75

Vulnerability from github

Summary

Details

Impact

gsd-2023-24813

Vulnerability from gsd

fkie_cve-2023-24813

Vulnerability from fkie_nvd

Tags

Sightings

Nomenclature