{"uuid": "e680ad01-29f9-430a-889c-bd080a1f7023", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-38633", "type": "published-proof-of-concept", "source": "https://t.me/ptswarm/185", "content": "When URL parsers disagree (CVE-2023-38633)\n\n\ud83d\udc64 by Zac Sims\n\nCanva's uses librsvg to quickly render user-provided SVGs into thumbnails later displayed as PNGs. By exploiting differences in URL parsers when rendering an SVG with librsvg, they showed it's possible to include arbitrary files from disk in the resulting image. The librsvg maintainers quickly patched the issue and issued a security vulnerability (CVE-2023-38633).\n\n\ud83d\udcdd Contents:\n\u25cf Prequel\n\u25cf XInclude\n\u25cf There are rules\n\u25cf Parser Mismatch\n\u25cf Bypassing Validation\n\u25cf Bypassing Canonicalization\n\u25cf Proof of concept\n\u25cf Patch\n\u25cf Timeline\n\nhttps://www.canva.dev/blog/engineering/when-url-parsers-disagree-cve-2023-38633/\n\nIf the link above doesn't work use a web archive version.", "creation_timestamp": "2023-09-05T08:41:50.000000Z"}