Lucene search

K

Gentoo FoundationGLSA-202408-14

HistoryAug 09, 2024 - 12:00 a.m.

Librsvg: Arbitrary File Read

2024-08-0900:00:00

Gentoo Foundation

security.gentoo.org

3

librsvg

directory traversal

url decoder

disclosure

file read

cve identifier

upgrade

gnome

librsvg-2.56.3

CVSS3

5.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

AI Score

7.3

Confidence

Low

Background

Librsvg is a library to render SVG files using cairo as a rendering engine.

Description

A directory traversal problem in the URL decoder of librsvg could be used by local or remote attackers to disclose files (on the local filesystem outside of the expected area), as demonstrated by href=“.?../…/…/…/…/…/…/…/…/…/etc/passwd” in an xi:include element.

Impact

Please review the referenced CVE identifier for details.

Workaround

There is no known workaround at this time.

Resolution

All Librsvg users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose "&gt;=gnome-base/librsvg-2.56.3"

OSVersionArchitecturePackageVersionFilename
Gentooanyallgnome-base/librsvg< 2.56.3UNKNOWN

CVSS3

5.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

AI Score

7.3

Confidence

Low

Related for GLSA-202408-14

ubuntucve1 nessus18 osv4 oraclelinux1 prion1 alpinelinux1 redhat3 rosalinux1 almalinux1 ubuntu1 openvas9 debian1 cve1 redhatcve1 veracode1 redos1 fedora2 mageia1 cvelist1 debiancve1 cloudfoundry1 nvd1 ibm1 hp1