CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS
Percentile
31.2%
A flaw was found in the subsetting module of FontTools, which contains an XML External Entity Injection (XXE) vulnerability. This flaw allows malicious actors to exploit the parsing of candidate fonts, particularly those with an OT-SVG format that includes an SVG table. Through this vulnerability, attackers can manipulate the system to resolve arbitrary entities, potentially allowing them to include files from the filesystem where FontTools is operating or even initiate web requests from the host system.
There may be other ways to mitigate the issue. Here are some suggestions:
Set the resolve_entities=False
flag on parsing methods.
Consider further methods of disallowing doctype declarations.
Consider recursive regex matching.
bugzilla.redhat.com/show_bug.cgi?id=2257808
github.com/fonttools/fonttools/commit/9f61271dc1ca82ed91f529b130fe5dc5c9bf1f4c
github.com/fonttools/fonttools/releases/tag/4.43.0
github.com/fonttools/fonttools/security/advisories/GHSA-6673-4983-2vx5
nvd.nist.gov/vuln/detail/CVE-2023-45139
www.cve.org/CVERecord?id=CVE-2023-45139