DATABASE RESOURCES PRICING ABOUT US

{"id": "OSV:GHSA-56GJ-MVH6-RP75", "vendorId": null, "type": "osv", "bulletinFamily": "software", "title": "URI validation failure on SVG parsing. Bypass of CVE-2023-23924", "description": "### Summary\nDue to the difference in the attribute parser of Dompdf and php-svg-lib, an attacker can still call arbitrary URLs with arbitrary protocols.\n\n### Details\nDompdf parses the href attribute of `image` tags with the following code:\n\n[`src/Image/Cache.php` line 135-150](https://github.com/dompdf/dompdf/blob/2a8a6b80fcaa5148ace50f35a10979fe00c6a35d/src/Image/Cache.php#L135-L150)\n``` php\nfunction ($parser, $name, $attributes) use ($options, $parsed_url, $full_url) {\n if (strtolower($name) === \"image\") {\n $attributes = array_change_key_case($attributes, CASE_LOWER);\n $url = $attributes[\"xlink:href\"] ?? $attributes[\"href\"];\n if (!empty($url)) {\n $inner_full_url = Helpers::build_url($parsed_url[\"protocol\"], $parsed_url[\"host\"], $parsed_url[\"path\"], $url);\n if ($inner_full_url === $full_url) {\n throw new ImageException(\"SVG self-reference is not allowed\", E_WARNING);\n }\n [$resolved_url, $type, $message] = self::resolve_url($url, $parsed_url[\"protocol\"], $parsed_url[\"host\"], $parsed_url[\"path\"], $options);\n if (!empty($message)) {\n throw new ImageException(\"This SVG document references a restricted resource. $message\", E_WARNING);\n }\n }\n }\n},\n```\n\nAs you can see from the code snippet above, it respects `xlink:href` even if `href` is specified.\n``` php\n$url = $attributes[\"xlink:href\"] ?? $attributes[\"href\"];\n```\n\nHowever, php-svg-lib, which is later used to parse the svg file, parses the href attribute with the following code:\n\n[`src/Svg/Tag/Image.php` line 51-57](https://github.com/dompdf/php-svg-lib/blob/76876c6cf3080bcb6f249d7d59705108166a6685/src/Svg/Tag/Image.php#L51-L57)\n``` php\nif (isset($attributes['xlink:href'])) {\n $this->href = $attributes['xlink:href'];\n}\n\nif (isset($attributes['href'])) {\n $this->href = $attributes['href'];\n}\n```\n\nSince `href` is respected if both `xlink:href` and `href` is specified, it's possible to bypass the protection on the Dompdf side by providing an empty `xlink:href` attribute.\n\n### Impact\nAn attacker can exploit the vulnerability to call arbitrary URLs with arbitrary protocols if they provide an SVG file to the Dompdf. In PHP versions before 8.0.0, it leads to arbitrary unserialize, which will lead, at the very least, to arbitrary file deletion and might lead to remote code execution, depending on available classes.", "published": "2023-02-07T18:16:23", "modified": "2023-04-11T01:41:57", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://osv.dev/vulnerability/GHSA-56gj-mvh6-rp75", "reporter": "Google", "references": ["https://github.com/dompdf/dompdf/security/advisories/GHSA-56gj-mvh6-rp75", "https://nvd.nist.gov/vuln/detail/CVE-2023-24813", "https://github.com/dompdf/dompdf/commit/95009ea98230f9b084b040c34e3869ef3dccc9aa", "https://github.com/dompdf/dompdf"], "cvelist": ["CVE-2023-23924", "CVE-2023-24813"], "immutableFields": [], "lastseen": "2023-04-11T01:42:01", "viewCount": 13, "enchantments": {"score": {"value": 2.4, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2023-23924", "CVE-2023-24813"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2023-23924", "DEBIANCVE:CVE-2023-24813"]}, {"type": "github", "idList": ["GHSA-3CW5-7CXW-V5QG", "GHSA-56GJ-MVH6-RP75"]}, {"type": "githubexploit", "idList": ["1E3F45E7-D4D8-523D-95A8-F1D23AE1DEEC", "20DE90CC-563B-5C66-A78A-9FE3D74A9DB9"]}, {"type": "osv", "idList": ["OSV:GHSA-3CW5-7CXW-V5QG"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2023-23924", "UB:CVE-2023-24813"]}, {"type": "veracode", "idList": ["VERACODE:39085", "VERACODE:39195"]}]}, "affected_software": {"major_version": [{"name": "dompdf/dompdf", "version": 2}, {"name": "dompdf/dompdf", "version": 2}]}, "epss": [{"cve": "CVE-2023-23924", "epss": 0.00831, "percentile": 0.79501, "modified": "2023-04-10"}, {"cve": "CVE-2023-24813", "epss": 0.00243, "percentile": 0.60585, "modified": "2023-04-10"}], "vulnersScore": 2.4}, "_state": {"score": 1684017862, "dependencies": 1681177388, "affected_software_major_version": 0, "epss": 1681181214}, "_internal": {"score_hash": "6b9121bccef5ecbccc90f255dffd5c82"}, "affectedSoftware": [{"version": "2.0.2", "operator": "eq", "name": "dompdf/dompdf"}, {"version": "2.0.2", "operator": "eq", "name": "dompdf/dompdf"}]}

{"github": [{"lastseen": "2023-06-06T20:12:41", "description": "### Summary\nDue to the difference in the attribute parser of Dompdf and php-svg-lib, an attacker can still call arbitrary URLs with arbitrary protocols.\n\n### Details\nDompdf parses the href attribute of `image` tags with the following code:\n\n[`src/Image/Cache.php` line 135-150](https://github.com/dompdf/dompdf/blob/2a8a6b80fcaa5148ace50f35a10979fe00c6a35d/src/Image/Cache.php#L135-L150)\n``` php\nfunction ($parser, $name, $attributes) use ($options, $parsed_url, $full_url) {\n if (strtolower($name) === \"image\") {\n $attributes = array_change_key_case($attributes, CASE_LOWER);\n $url = $attributes[\"xlink:href\"] ?? $attributes[\"href\"];\n if (!empty($url)) {\n $inner_full_url = Helpers::build_url($parsed_url[\"protocol\"], $parsed_url[\"host\"], $parsed_url[\"path\"], $url);\n if ($inner_full_url === $full_url) {\n throw new ImageException(\"SVG self-reference is not allowed\", E_WARNING);\n }\n [$resolved_url, $type, $message] = self::resolve_url($url, $parsed_url[\"protocol\"], $parsed_url[\"host\"], $parsed_url[\"path\"], $options);\n if (!empty($message)) {\n throw new ImageException(\"This SVG document references a restricted resource. $message\", E_WARNING);\n }\n }\n }\n},\n```\n\nAs you can see from the code snippet above, it respects `xlink:href` even if `href` is specified.\n``` php\n$url = $attributes[\"xlink:href\"] ?? $attributes[\"href\"];\n```\n\nHowever, php-svg-lib, which is later used to parse the svg file, parses the href attribute with the following code:\n\n[`src/Svg/Tag/Image.php` line 51-57](https://github.com/dompdf/php-svg-lib/blob/76876c6cf3080bcb6f249d7d59705108166a6685/src/Svg/Tag/Image.php#L51-L57)\n``` php\nif (isset($attributes['xlink:href'])) {\n $this->href = $attributes['xlink:href'];\n}\n\nif (isset($attributes['href'])) {\n $this->href = $attributes['href'];\n}\n```\n\nSince `href` is respected if both `xlink:href` and `href` is specified, it's possible to bypass the protection on the Dompdf side by providing an empty `xlink:href` attribute.\n\n### Impact\nAn attacker can exploit the vulnerability to call arbitrary URLs with arbitrary protocols if they provide an SVG file to the Dompdf. In PHP versions before 8.0.0, it leads to arbitrary unserialize, which will lead, at the very least, to arbitrary file deletion and might lead to remote code execution, depending on available classes.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-02-07T18:16:23", "type": "github", "title": "URI validation failure on SVG parsing. Bypass of CVE-2023-23924", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-23924", "CVE-2023-24813"], "modified": "2023-02-24T16:37:57", "id": "GHSA-56GJ-MVH6-RP75", "href": "https://github.com/advisories/GHSA-56gj-mvh6-rp75", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-06T20:12:41", "description": "### Summary\nThe URI validation on dompdf 2.0.1 can be bypassed on SVG parsing by passing `<image>` tags with uppercase letters. This might leads to arbitrary object unserialize on PHP < 8, through the `phar` URL wrapper.\n\n### Details\nThe bug occurs during SVG parsing of `<image>` tags, in src/Image/Cache.php : \n\n```\nif ($type === \"svg\") {\n $parser = xml_parser_create(\"utf-8\");\n xml_parser_set_option($parser, XML_OPTION_CASE_FOLDING, false);\n xml_set_element_handler(\n $parser,\n function ($parser, $name, $attributes) use ($options, $parsed_url, $full_url) {\n if ($name === \"image\") {\n $attributes = array_change_key_case($attributes, CASE_LOWER);\n```\nThis part will try to detect `<image>` tags in SVG, and will take the href to validate it against the protocolAllowed whitelist. However, the `$name comparison with \"image\" is case sensitive, which means that such a tag in the SVG will pass : \n\n```\n<svg>\n <Image xlink:href=\"phar:///foo\"></Image>\n</svg>\n```\n\nAs the tag is named \"Image\" and not \"image\", it will not pass the condition to trigger the check.\n\nA correct solution would be to strtolower the `$name` before the check : \n\n```\nif (strtolower($name) === \"image\") {\n```\n\n### PoC\nParsing the following SVG file is sufficient to reproduce the vulnerability :\n\n```\n<svg>\n <Image xlink:href=\"phar:///foo\"></Image>\n</svg>\n```\n\n### Impact\nAn attacker might be able to exploit the vulnerability to call arbitrary URL with arbitrary protocols, if they can provide a SVG file to dompdf. In PHP versions before 8.0.0, it leads to arbitrary unserialize, that will leads at the very least to an arbitrary file deletion, and might leads to remote code execution, depending on classes that are available.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-02-01T01:37:56", "type": "github", "title": "Dompdf vulnerable to URI validation failure on SVG parsing", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-23924"], "modified": "2023-03-15T19:18:52", "id": "GHSA-3CW5-7CXW-V5QG", "href": "https://github.com/advisories/GHSA-3cw5-7cxw-v5qg", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "ubuntucve": [{"lastseen": "2023-06-07T13:25:11", "description": "Dompdf is an HTML to PDF converter written in php. Due to the difference in\nthe attribute parser of Dompdf and php-svg-lib, an attacker can still call\narbitrary URLs with arbitrary protocols. Dompdf parses the href attribute\nof `image` tags and respects `xlink:href` even if `href` is specified.\nHowever, php-svg-lib, which is later used to parse the svg file, parses the\nhref attribute. Since `href` is respected if both `xlink:href` and `href`\nis specified, it's possible to bypass the protection on the Dompdf side by\nproviding an empty `xlink:href` attribute. An attacker can exploit the\nvulnerability to call arbitrary URLs with arbitrary protocols if they\nprovide an SVG file to the Dompdf. In PHP versions before 8.0.0, it leads\nto arbitrary unserialize, which will lead, at the very least, to arbitrary\nfile deletion and might lead to remote code execution, depending on\navailable classes. This vulnerability has been addressed in commit\n`95009ea98` which has been included in release version 2.0.3. Users are\nadvised to upgrade. There are no known workarounds for this vulnerability.\n\n#### Notes\n\nAuthor| Note \n---|--- \n[sbeattie](<https://launchpad.net/~sbeattie>) | in Ubuntu versions src/Image/Cache.php is in ./include/image_cache.cls.php and does not contain the affected code.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-02-07T00:00:00", "type": "ubuntucve", "title": "CVE-2023-24813", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-24813"], "modified": "2023-02-07T00:00:00", "id": "UB:CVE-2023-24813", "href": "https://ubuntu.com/security/CVE-2023-24813", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-07T13:25:05", "description": "Dompdf is an HTML to PDF converter. The URI validation on dompdf 2.0.1 can\nbe bypassed on SVG parsing by passing `<image>` tags with uppercase\nletters. This may lead to arbitrary object unserialize on PHP < 8, through\nthe `phar` URL wrapper. An attacker can exploit the vulnerability to call\narbitrary URL with arbitrary protocols, if they can provide a SVG file to\ndompdf. In PHP versions before 8.0.0, it leads to arbitrary unserialize,\nthat will lead to the very least to an arbitrary file deletion and even\nremote code execution, depending on classes that are available.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-02-01T00:00:00", "type": "ubuntucve", "title": "CVE-2023-23924", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-23924"], "modified": "2023-02-01T00:00:00", "id": "UB:CVE-2023-23924", "href": "https://ubuntu.com/security/CVE-2023-23924", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "debiancve": [{"lastseen": "2023-06-06T18:12:22", "description": "Dompdf is an HTML to PDF converter written in php. Due to the difference in the attribute parser of Dompdf and php-svg-lib, an attacker can still call arbitrary URLs with arbitrary protocols. Dompdf parses the href attribute of `image` tags and respects `xlink:href` even if `href` is specified. However, php-svg-lib, which is later used to parse the svg file, parses the href attribute. Since `href` is respected if both `xlink:href` and `href` is specified, it's possible to bypass the protection on the Dompdf side by providing an empty `xlink:href` attribute. An attacker can exploit the vulnerability to call arbitrary URLs with arbitrary protocols if they provide an SVG file to the Dompdf. In PHP versions before 8.0.0, it leads to arbitrary unserialize, which will lead, at the very least, to arbitrary file deletion and might lead to remote code execution, depending on available classes. This vulnerability has been addressed in commit `95009ea98` which has been included in release version 2.0.3. Users are advised to upgrade. There are no known workarounds for this vulnerability.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-02-07T19:15:00", "type": "debiancve", "title": "CVE-2023-24813", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-24813"], "modified": "2023-02-07T19:15:00", "id": "DEBIANCVE:CVE-2023-24813", "href": "https://security-tracker.debian.org/tracker/CVE-2023-24813", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-06T18:12:22", "description": "Dompdf is an HTML to PDF converter. The URI validation on dompdf 2.0.1 can be bypassed on SVG parsing by passing `<image>` tags with uppercase letters. This may lead to arbitrary object unserialize on PHP < 8, through the `phar` URL wrapper. An attacker can exploit the vulnerability to call arbitrary URL with arbitrary protocols, if they can provide a SVG file to dompdf. In PHP versions before 8.0.0, it leads to arbitrary unserialize, that will lead to the very least to an arbitrary file deletion and even remote code execution, depending on classes that are available.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-02-01T00:15:00", "type": "debiancve", "title": "CVE-2023-23924", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-23924"], "modified": "2023-02-01T00:15:00", "id": "DEBIANCVE:CVE-2023-23924", "href": "https://security-tracker.debian.org/tracker/CVE-2023-23924", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "veracode": [{"lastseen": "2023-06-06T19:44:46", "description": "dompdf/dompdf is vulnerable to Arbitrary Code Execution. The vulnerability exists in `Cache.php` due to a lack of validations for SVG files in Dompdf and php-svg-lib, allowing an attacker to parse an arbitrary URL with arbitrary protocols, which can resulting in Arbitrary Code Execution.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-02-10T07:49:34", "type": "veracode", "title": "Arbitrary Code Execution", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-24813"], "modified": "2023-02-16T15:42:39", "id": "VERACODE:39195", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-39195/summary", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-06T19:48:52", "description": "dompdf/dompdf is vulnerable to Remote Code Execution (RCE). The vulnerability is due to URI validation bypass through the `phar` URL wrapper by passing `` tags with uppercase letters which allows an attacker to unserialize arbitrary objects, possibly leading to RCE.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-02-02T07:50:49", "type": "veracode", "title": "Remote Code Execution (RCE)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-23924"], "modified": "2023-02-08T23:16:45", "id": "VERACODE:39085", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-39085/summary", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2023-06-07T17:57:27", "description": "Dompdf is an HTML to PDF converter written in php. Due to the difference in the attribute parser of Dompdf and php-svg-lib, an attacker can still call arbitrary URLs with arbitrary protocols. Dompdf parses the href attribute of `image` tags and respects `xlink:href` even if `href` is specified. However, php-svg-lib, which is later used to parse the svg file, parses the href attribute. Since `href` is respected if both `xlink:href` and `href` is specified, it's possible to bypass the protection on the Dompdf side by providing an empty `xlink:href` attribute. An attacker can exploit the vulnerability to call arbitrary URLs with arbitrary protocols if they provide an SVG file to the Dompdf. In PHP versions before 8.0.0, it leads to arbitrary unserialize, which will lead, at the very least, to arbitrary file deletion and might lead to remote code execution, depending on available classes. This vulnerability has been addressed in commit `95009ea98` which has been included in release version 2.0.3. Users are advised to upgrade. There are no known workarounds for this vulnerability.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-02-07T19:15:00", "type": "cve", "title": "CVE-2023-24813", "cwe": ["CWE-436"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-24813"], "modified": "2023-02-16T14:53:00", "cpe": ["cpe:/a:dompdf_project:dompdf:2.0.2"], "id": "CVE-2023-24813", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-24813", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:dompdf_project:dompdf:2.0.2:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-07T17:55:32", "description": "Dompdf is an HTML to PDF converter. The URI validation on dompdf 2.0.1 can be bypassed on SVG parsing by passing `<image>` tags with uppercase letters. This may lead to arbitrary object unserialize on PHP < 8, through the `phar` URL wrapper. An attacker can exploit the vulnerability to call arbitrary URL with arbitrary protocols, if they can provide a SVG file to dompdf. In PHP versions before 8.0.0, it leads to arbitrary unserialize, that will lead to the very least to an arbitrary file deletion and even remote code execution, depending on classes that are available.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-02-01T00:15:00", "type": "cve", "title": "CVE-2023-23924", "cwe": ["CWE-863"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-23924"], "modified": "2023-02-08T22:21:00", "cpe": ["cpe:/a:dompdf_project:dompdf:2.0.1"], "id": "CVE-2023-23924", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-23924", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:dompdf_project:dompdf:2.0.1:*:*:*:*:*:*:*"]}], "githubexploit": [{"lastseen": "2023-03-15T20:10:39", "description": "<p align=\"center\"><a href=\"https://laravel.com\" target=\"_blank\">...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-03-08T01:16:16", "type": "githubexploit", "title": "Exploit for Incorrect Authorization in Dompdf Project Dompdf", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2023-23924"], "modified": "2023-03-15T17:26:38", "id": "20DE90CC-563B-5C66-A78A-9FE3D74A9DB9", "href": "", "cvss": {"score": 0.0, "vector": "NONE"}, "privateArea": 1}, {"lastseen": "2023-06-06T20:25:37", "description": "# CVE-2023-23924\n\nDompdf vulnerable to URI validation failure on...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-02-01T18:21:23", "type": "githubexploit", "title": "Exploit for Incorrect Authorization in Dompdf Project Dompdf", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-23924"], "modified": "2023-05-13T02:06:18", "id": "1E3F45E7-D4D8-523D-95A8-F1D23AE1DEEC", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}], "osv": [{"lastseen": "2023-04-11T01:40:19", "description": "### Summary\nThe URI validation on dompdf 2.0.1 can be bypassed on SVG parsing by passing `<image>` tags with uppercase letters. This might leads to arbitrary object unserialize on PHP < 8, through the `phar` URL wrapper.\n\n### Details\nThe bug occurs during SVG parsing of `<image>` tags, in src/Image/Cache.php : \n\n```\nif ($type === \"svg\") {\n $parser = xml_parser_create(\"utf-8\");\n xml_parser_set_option($parser, XML_OPTION_CASE_FOLDING, false);\n xml_set_element_handler(\n $parser,\n function ($parser, $name, $attributes) use ($options, $parsed_url, $full_url) {\n if ($name === \"image\") {\n $attributes = array_change_key_case($attributes, CASE_LOWER);\n```\nThis part will try to detect `<image>` tags in SVG, and will take the href to validate it against the protocolAllowed whitelist. However, the `$name comparison with \"image\" is case sensitive, which means that such a tag in the SVG will pass : \n\n```\n<svg>\n <Image xlink:href=\"phar:///foo\"></Image>\n</svg>\n```\n\nAs the tag is named \"Image\" and not \"image\", it will not pass the condition to trigger the check.\n\nA correct solution would be to strtolower the `$name` before the check : \n\n```\nif (strtolower($name) === \"image\") {\n```\n\n### PoC\nParsing the following SVG file is sufficient to reproduce the vulnerability :\n\n```\n<svg>\n <Image xlink:href=\"phar:///foo\"></Image>\n</svg>\n```\n\n### Impact\nAn attacker might be able to exploit the vulnerability to call arbitrary URL with arbitrary protocols, if they can provide a SVG file to dompdf. In PHP versions before 8.0.0, it leads to arbitrary unserialize, that will leads at the very least to an arbitrary file deletion, and might leads to remote code execution, depending on classes that are available.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-02-01T01:37:56", "type": "osv", "title": "Dompdf vulnerable to URI validation failure on SVG parsing", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2023-23924"], "modified": "2023-04-11T01:40:16", "id": "OSV:GHSA-3CW5-7CXW-V5QG", "href": "https://osv.dev/vulnerability/GHSA-3cw5-7cxw-v5qg", "cvss": {"score": 0.0, "vector": "NONE"}}]}