GitHub Advisory DatabaseGHSA-6X28-7H8C-CHX4Dompdf allows remote file inclusion because URI validation failure does not halt font registration
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
0.003 Low
EPSS
Percentile
65.9%
registerFont in FontMetrics.php in Dompdf before 2.0.1 allows remote file inclusion because a URI validation failure does not halt font registration, as demonstrated by a @font-face rule.
Affected configurations
| CPE | Name | Operator | Version |
|---|---|---|---|
| dompdf/dompdf | lt | 2.0.1 |
References
github.com/advisories/GHSA-6x28-7h8c-chx4
github.com/dompdf/dompdf/commit/66431c58017d5b1bdb9f6f772b9fbbc5e3d38dc2
github.com/dompdf/dompdf/issues/2994
github.com/dompdf/dompdf/pull/2995
github.com/dompdf/dompdf/releases/tag/v2.0.1
github.com/FriendsOfPHP/security-advisories/blob/master/dompdf/dompdf/CVE-2022-41343.yaml
nvd.nist.gov/vuln/detail/CVE-2022-41343
tantosec.com/blog/cve-2022-41343/
Related
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
0.003 Low
EPSS
Percentile
65.9%