Ubuntu.comUB:CVE-2023-45139CVE-2023-45139
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
AI Score
Confidence
Low
EPSS
Percentile
31.2%
fontTools is a library for manipulating fonts, written in Python. The
subsetting module has a XML External Entity Injection (XXE) vulnerability
which allows an attacker to resolve arbitrary entities when a candidate
font (OT-SVG fonts), which contains a SVG table, is parsed. This allows
attackers to include arbitrary files from the filesystem fontTools is
running on or make web requests from the host system. This vulnerability
has been patched in version 4.43.0.
References
github.com/fonttools/fonttools/commit/9f61271dc1ca82ed91f529b130fe5dc5c9bf1f4c
github.com/fonttools/fonttools/releases/tag/4.43.0
github.com/fonttools/fonttools/security/advisories/GHSA-6673-4983-2vx5
launchpad.net/bugs/cve/CVE-2023-45139
nvd.nist.gov/vuln/detail/CVE-2023-45139
security-tracker.debian.org/tracker/CVE-2023-45139
www.cve.org/CVERecord?id=CVE-2023-45139
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
AI Score
Confidence
Low
EPSS
Percentile
31.2%