CVE-2023-45139

2024-01-1016:15:46

Debian Security Bug Tracker

security-tracker.debian.org

xml external entity injection

python

font manipulation

ot-svg fonts

filesystem vulnerability

web requests

patch

unix

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

AI Score

7.3

Confidence

High

EPSS

0.001

Percentile

31.2%

JSON

fontTools is a library for manipulating fonts, written in Python. The subsetting module has a XML External Entity Injection (XXE) vulnerability which allows an attacker to resolve arbitrary entities when a candidate font (OT-SVG fonts), which contains a SVG table, is parsed. This allows attackers to include arbitrary files from the filesystem fontTools is running on or make web requests from the host system. This vulnerability has been patched in version 4.43.0.

OSVersionArchitecturePackageVersionFilename
Debian12allfonttools<= 4.38.0-1fonttools_4.38.0-1_all.deb
Debian11allfonttools< 4.19.1-1fonttools_4.19.1-1_all.deb
Debian999allfonttools< 4.46.0-1fonttools_4.46.0-1_all.deb
Debian13allfonttools< 4.46.0-1fonttools_4.46.0-1_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	12	all	fonttools	<= 4.38.0-1	fonttools_4.38.0-1_all.deb
Debian	11	all	fonttools	< 4.19.1-1	fonttools_4.19.1-1_all.deb
Debian	999	all	fonttools	< 4.46.0-1	fonttools_4.46.0-1_all.deb
Debian	13	all	fonttools	< 4.46.0-1	fonttools_4.46.0-1_all.deb