cvelistv5 - cve-2023-23924

CVE-2023-23924 (GCVE-0-2023-23924)

Vulnerability from cvelistv5

Published

2023-01-31 23:54

Modified

2025-03-10 21:17

Severity ?

10.0 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:H

CWE

CWE-551 - Incorrect Behavior Order: Authorization Before Parsing and Canonicalization

Summary

Dompdf is an HTML to PDF converter. The URI validation on dompdf 2.0.1 can be bypassed on SVG parsing by passing `<image>` tags with uppercase letters. This may lead to arbitrary object unserialize on PHP < 8, through the `phar` URL wrapper. An attacker can exploit the vulnerability to call arbitrary URL with arbitrary protocols, if they can provide a SVG file to dompdf. In PHP versions before 8.0.0, it leads to arbitrary unserialize, that will lead to the very least to an arbitrary file deletion and even remote code execution, depending on classes that are available.

References

►

URL

Tags

security-advisories@github.com	https://github.com/dompdf/dompdf/commit/7558f07f693b2ac3266089f21051e6b78c6a0c85	Patch, Third Party Advisory
security-advisories@github.com	https://github.com/dompdf/dompdf/releases/tag/v2.0.2	Release Notes, Third Party Advisory
security-advisories@github.com	https://github.com/dompdf/dompdf/security/advisories/GHSA-3cw5-7cxw-v5qg	Exploit, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/dompdf/dompdf/commit/7558f07f693b2ac3266089f21051e6b78c6a0c85	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/dompdf/dompdf/releases/tag/v2.0.2	Release Notes, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/dompdf/dompdf/security/advisories/GHSA-3cw5-7cxw-v5qg	Exploit, Third Party Advisory

Impacted products

	Vendor	Product	Version
	dompdf	dompdf	Version: < 2.0.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T10:42:27.102Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/dompdf/dompdf/security/advisories/GHSA-3cw5-7cxw-v5qg",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/dompdf/dompdf/security/advisories/GHSA-3cw5-7cxw-v5qg"
          },
          {
            "name": "https://github.com/dompdf/dompdf/commit/7558f07f693b2ac3266089f21051e6b78c6a0c85",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/dompdf/dompdf/commit/7558f07f693b2ac3266089f21051e6b78c6a0c85"
          },
          {
            "name": "https://github.com/dompdf/dompdf/releases/tag/v2.0.2",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/dompdf/dompdf/releases/tag/v2.0.2"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-23924",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-03-10T21:02:06.465214Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-10T21:17:31.944Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "dompdf",
          "vendor": "dompdf",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 2.0.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Dompdf is an HTML to PDF converter. The URI validation on dompdf 2.0.1 can be bypassed on SVG parsing by passing `\u003cimage\u003e` tags with uppercase letters. This may lead to arbitrary object unserialize on PHP \u003c 8, through the `phar` URL wrapper. An attacker can exploit the vulnerability to call arbitrary URL with arbitrary protocols, if they can provide a SVG file to dompdf. In PHP versions before 8.0.0, it leads to arbitrary unserialize, that will lead to the very least to an arbitrary file deletion and even remote code execution, depending on classes that are available.\n"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 10,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-551",
              "description": "CWE-551: Incorrect Behavior Order: Authorization Before Parsing and Canonicalization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-01-31T23:54:30.162Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/dompdf/dompdf/security/advisories/GHSA-3cw5-7cxw-v5qg",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/dompdf/dompdf/security/advisories/GHSA-3cw5-7cxw-v5qg"
        },
        {
          "name": "https://github.com/dompdf/dompdf/commit/7558f07f693b2ac3266089f21051e6b78c6a0c85",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/dompdf/dompdf/commit/7558f07f693b2ac3266089f21051e6b78c6a0c85"
        },
        {
          "name": "https://github.com/dompdf/dompdf/releases/tag/v2.0.2",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/dompdf/dompdf/releases/tag/v2.0.2"
        }
      ],
      "source": {
        "advisory": "GHSA-3cw5-7cxw-v5qg",
        "discovery": "UNKNOWN"
      },
      "title": "URI validation failure on SVG parsing in Dompdf"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2023-23924",
    "datePublished": "2023-01-31T23:54:30.162Z",
    "dateReserved": "2023-01-19T21:12:31.358Z",
    "dateUpdated": "2025-03-10T21:17:31.944Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-23924\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2023-02-01T00:15:10.693\",\"lastModified\":\"2024-11-21T07:47:06.630\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Dompdf is an HTML to PDF converter. The URI validation on dompdf 2.0.1 can be bypassed on SVG parsing by passing `\u003cimage\u003e` tags with uppercase letters. This may lead to arbitrary object unserialize on PHP \u003c 8, through the `phar` URL wrapper. An attacker can exploit the vulnerability to call arbitrary URL with arbitrary protocols, if they can provide a SVG file to dompdf. In PHP versions before 8.0.0, it leads to arbitrary unserialize, that will lead to the very least to an arbitrary file deletion and even remote code execution, depending on classes that are available.\\n\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:H\",\"baseScore\":10.0,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":6.0},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-551\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-863\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:dompdf_project:dompdf:2.0.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A20BA838-5E5B-4CCD-B1DE-4AA444704DE3\"}]}]}],\"references\":[{\"url\":\"https://github.com/dompdf/dompdf/commit/7558f07f693b2ac3266089f21051e6b78c6a0c85\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/dompdf/dompdf/releases/tag/v2.0.2\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/dompdf/dompdf/security/advisories/GHSA-3cw5-7cxw-v5qg\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/dompdf/dompdf/commit/7558f07f693b2ac3266089f21051e6b78c6a0c85\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/dompdf/dompdf/releases/tag/v2.0.2\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Release Notes\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/dompdf/dompdf/security/advisories/GHSA-3cw5-7cxw-v5qg\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/dompdf/dompdf/security/advisories/GHSA-3cw5-7cxw-v5qg\", \"name\": \"https://github.com/dompdf/dompdf/security/advisories/GHSA-3cw5-7cxw-v5qg\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"]}, {\"url\": \"https://github.com/dompdf/dompdf/commit/7558f07f693b2ac3266089f21051e6b78c6a0c85\", \"name\": \"https://github.com/dompdf/dompdf/commit/7558f07f693b2ac3266089f21051e6b78c6a0c85\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/dompdf/dompdf/releases/tag/v2.0.2\", \"name\": \"https://github.com/dompdf/dompdf/releases/tag/v2.0.2\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T10:42:27.102Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-23924\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-03-10T21:02:06.465214Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-03-10T21:02:07.854Z\"}}], \"cna\": {\"title\": \"URI validation failure on SVG parsing in Dompdf\", \"source\": {\"advisory\": \"GHSA-3cw5-7cxw-v5qg\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 10, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:H\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"dompdf\", \"product\": \"dompdf\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 2.0.2\"}]}], \"references\": [{\"url\": \"https://github.com/dompdf/dompdf/security/advisories/GHSA-3cw5-7cxw-v5qg\", \"name\": \"https://github.com/dompdf/dompdf/security/advisories/GHSA-3cw5-7cxw-v5qg\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/dompdf/dompdf/commit/7558f07f693b2ac3266089f21051e6b78c6a0c85\", \"name\": \"https://github.com/dompdf/dompdf/commit/7558f07f693b2ac3266089f21051e6b78c6a0c85\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/dompdf/dompdf/releases/tag/v2.0.2\", \"name\": \"https://github.com/dompdf/dompdf/releases/tag/v2.0.2\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Dompdf is an HTML to PDF converter. The URI validation on dompdf 2.0.1 can be bypassed on SVG parsing by passing `\u003cimage\u003e` tags with uppercase letters. This may lead to arbitrary object unserialize on PHP \u003c 8, through the `phar` URL wrapper. An attacker can exploit the vulnerability to call arbitrary URL with arbitrary protocols, if they can provide a SVG file to dompdf. In PHP versions before 8.0.0, it leads to arbitrary unserialize, that will lead to the very least to an arbitrary file deletion and even remote code execution, depending on classes that are available.\\n\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-551\", \"description\": \"CWE-551: Incorrect Behavior Order: Authorization Before Parsing and Canonicalization\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2023-01-31T23:54:30.162Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2023-23924\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-03-10T21:17:31.944Z\", \"dateReserved\": \"2023-01-19T21:12:31.358Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2023-01-31T23:54:30.162Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

ghsa-3cw5-7cxw-v5qg

Vulnerability from github

Published

2023-02-01 01:37

Modified

2023-02-01 01:37

Severity ?

10.0 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:H

Summary

Dompdf vulnerable to URI validation failure on SVG parsing

Details

Summary

The URI validation on dompdf 2.0.1 can be bypassed on SVG parsing by passing <image> tags with uppercase letters. This might leads to arbitrary object unserialize on PHP < 8, through the phar URL wrapper.

Details

The bug occurs during SVG parsing of <image> tags, in src/Image/Cache.php :

if ($type === "svg") { $parser = xml_parser_create("utf-8"); xml_parser_set_option($parser, XML_OPTION_CASE_FOLDING, false); xml_set_element_handler( $parser, function ($parser, $name, $attributes) use ($options, $parsed_url, $full_url) { if ($name === "image") { $attributes = array_change_key_case($attributes, CASE_LOWER); This part will try to detect <image> tags in SVG, and will take the href to validate it against the protocolAllowed whitelist. However, the `$name comparison with "image" is case sensitive, which means that such a tag in the SVG will pass :

<svg> <Image xlink:href="phar:///foo"></Image> </svg>

As the tag is named "Image" and not "image", it will not pass the condition to trigger the check.

A correct solution would be to strtolower the $name before the check :

if (strtolower($name) === "image") {

PoC

Parsing the following SVG file is sufficient to reproduce the vulnerability :

<svg> <Image xlink:href="phar:///foo"></Image> </svg>

Impact

An attacker might be able to exploit the vulnerability to call arbitrary URL with arbitrary protocols, if they can provide a SVG file to dompdf. In PHP versions before 8.0.0, it leads to arbitrary unserialize, that will leads at the very least to an arbitrary file deletion, and might leads to remote code execution, depending on classes that are available.

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "dompdf/dompdf"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.0.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-23924"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-551",
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-02-01T01:37:56Z",
    "nvd_published_at": "2023-02-01T00:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "### Summary\nThe URI validation on dompdf 2.0.1 can be bypassed on SVG parsing by passing `\u003cimage\u003e` tags with uppercase letters. This might leads to arbitrary object unserialize on PHP \u003c 8, through the `phar` URL wrapper.\n\n### Details\nThe bug occurs during SVG parsing of `\u003cimage\u003e` tags, in src/Image/Cache.php : \n\n```\nif ($type === \"svg\") {\n    $parser = xml_parser_create(\"utf-8\");\n    xml_parser_set_option($parser, XML_OPTION_CASE_FOLDING, false);\n    xml_set_element_handler(\n        $parser,\n        function ($parser, $name, $attributes) use ($options, $parsed_url, $full_url) {\n            if ($name === \"image\") {\n                $attributes = array_change_key_case($attributes, CASE_LOWER);\n```\nThis part will try to detect `\u003cimage\u003e` tags in SVG, and will take the href to validate it against the protocolAllowed whitelist. However, the `$name comparison with \"image\" is case sensitive, which means that such a tag in the SVG will pass : \n\n```\n\u003csvg\u003e\n    \u003cImage xlink:href=\"phar:///foo\"\u003e\u003c/Image\u003e\n\u003c/svg\u003e\n```\n\nAs the tag is named \"Image\" and not \"image\", it will not pass the condition to trigger the check.\n\nA correct solution would be to strtolower the `$name` before the check : \n\n```\nif (strtolower($name) === \"image\") {\n```\n\n### PoC\nParsing the following SVG file is sufficient to reproduce the vulnerability :\n\n```\n\u003csvg\u003e\n    \u003cImage xlink:href=\"phar:///foo\"\u003e\u003c/Image\u003e\n\u003c/svg\u003e\n```\n\n### Impact\nAn attacker might be able to exploit the vulnerability to call arbitrary URL with arbitrary protocols, if they can provide a SVG file to dompdf. In PHP versions before 8.0.0, it leads to arbitrary unserialize, that will leads at the very least to an arbitrary file deletion, and might leads to remote code execution, depending on classes that are available.\n",
  "id": "GHSA-3cw5-7cxw-v5qg",
  "modified": "2023-02-01T01:37:56Z",
  "published": "2023-02-01T01:37:56Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/dompdf/dompdf/security/advisories/GHSA-3cw5-7cxw-v5qg"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-23924"
    },
    {
      "type": "WEB",
      "url": "https://github.com/dompdf/dompdf/commit/7558f07f693b2ac3266089f21051e6b78c6a0c85"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/dompdf/dompdf/CVE-2023-23924.yaml"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-3cw5-7cxw-v5qg"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/dompdf/dompdf"
    },
    {
      "type": "WEB",
      "url": "https://github.com/dompdf/dompdf/releases/tag/v2.0.2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Dompdf vulnerable to URI validation failure on SVG parsing"
}

gsd-2023-23924

Vulnerability from gsd

Modified

2023-12-13 01:20

Details

Aliases

CVE-2023-23924

Aliases

CVE-2023-23924

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2023-23924",
    "id": "GSD-2023-23924"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2023-23924"
      ],
      "details": "Dompdf is an HTML to PDF converter. The URI validation on dompdf 2.0.1 can be bypassed on SVG parsing by passing `\u003cimage\u003e` tags with uppercase letters. This may lead to arbitrary object unserialize on PHP \u003c 8, through the `phar` URL wrapper. An attacker can exploit the vulnerability to call arbitrary URL with arbitrary protocols, if they can provide a SVG file to dompdf. In PHP versions before 8.0.0, it leads to arbitrary unserialize, that will lead to the very least to an arbitrary file deletion and even remote code execution, depending on classes that are available.",
      "id": "GSD-2023-23924",
      "modified": "2023-12-13T01:20:50.168442Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2023-23924",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "dompdf",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_value": "\u003c 2.0.2"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "dompdf"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Dompdf is an HTML to PDF converter. The URI validation on dompdf 2.0.1 can be bypassed on SVG parsing by passing `\u003cimage\u003e` tags with uppercase letters. This may lead to arbitrary object unserialize on PHP \u003c 8, through the `phar` URL wrapper. An attacker can exploit the vulnerability to call arbitrary URL with arbitrary protocols, if they can provide a SVG file to dompdf. In PHP versions before 8.0.0, it leads to arbitrary unserialize, that will lead to the very least to an arbitrary file deletion and even remote code execution, depending on classes that are available."
          }
        ]
      },
      "impact": {
        "cvss": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 10,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:H",
            "version": "3.1"
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "cweId": "CWE-551",
                "lang": "eng",
                "value": "CWE-551: Incorrect Behavior Order: Authorization Before Parsing and Canonicalization"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/dompdf/dompdf/security/advisories/GHSA-3cw5-7cxw-v5qg",
            "refsource": "MISC",
            "url": "https://github.com/dompdf/dompdf/security/advisories/GHSA-3cw5-7cxw-v5qg"
          },
          {
            "name": "https://github.com/dompdf/dompdf/commit/7558f07f693b2ac3266089f21051e6b78c6a0c85",
            "refsource": "MISC",
            "url": "https://github.com/dompdf/dompdf/commit/7558f07f693b2ac3266089f21051e6b78c6a0c85"
          },
          {
            "name": "https://github.com/dompdf/dompdf/releases/tag/v2.0.2",
            "refsource": "MISC",
            "url": "https://github.com/dompdf/dompdf/releases/tag/v2.0.2"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-3cw5-7cxw-v5qg",
        "discovery": "UNKNOWN"
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "=2.0.1",
          "affected_versions": "Version 2.0.1",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-863",
            "CWE-937"
          ],
          "date": "2023-02-08",
          "description": "Dompdf is an HTML to PDF converter. The URI validation on dompdf 2.0.1 can be bypassed on SVG parsing by passing `\u003cimage\u003e` tags with uppercase letters. This may lead to arbitrary object unserialize on PHP \u003c 8, through the `phar` URL wrapper. An attacker can exploit the vulnerability to call arbitrary URL with arbitrary protocols, if they can provide a SVG file to dompdf. In PHP versions before 8.0.0, it leads to arbitrary unserialize, that will lead to the very least to an arbitrary file deletion and even remote code execution, depending on classes that are available.",
          "fixed_versions": [
            "2.0.2"
          ],
          "identifier": "CVE-2023-23924",
          "identifiers": [
            "CVE-2023-23924",
            "GHSA-3cw5-7cxw-v5qg"
          ],
          "not_impacted": "All versions before 2.0.1, all versions after 2.0.1",
          "package_slug": "packagist/dompdf/dompdf",
          "pubdate": "2023-02-01",
          "solution": "Upgrade to version 2.0.2 or above.",
          "title": "Incorrect Behavior Order: Authorization Before Parsing and Canonicalization",
          "urls": [
            "https://github.com/dompdf/dompdf/security/advisories/GHSA-3cw5-7cxw-v5qg",
            "https://nvd.nist.gov/vuln/detail/CVE-2023-23924",
            "https://github.com/dompdf/dompdf/commit/7558f07f693b2ac3266089f21051e6b78c6a0c85",
            "https://github.com/dompdf/dompdf/releases/tag/v2.0.2",
            "https://github.com/advisories/GHSA-3cw5-7cxw-v5qg"
          ],
          "uuid": "87497164-4e15-4bc6-9637-e4fce87efa04"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:dompdf_project:dompdf:2.0.1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2023-23924"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Dompdf is an HTML to PDF converter. The URI validation on dompdf 2.0.1 can be bypassed on SVG parsing by passing `\u003cimage\u003e` tags with uppercase letters. This may lead to arbitrary object unserialize on PHP \u003c 8, through the `phar` URL wrapper. An attacker can exploit the vulnerability to call arbitrary URL with arbitrary protocols, if they can provide a SVG file to dompdf. In PHP versions before 8.0.0, it leads to arbitrary unserialize, that will lead to the very least to an arbitrary file deletion and even remote code execution, depending on classes that are available."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-863"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/dompdf/dompdf/security/advisories/GHSA-3cw5-7cxw-v5qg",
              "refsource": "MISC",
              "tags": [
                "Exploit",
                "Third Party Advisory"
              ],
              "url": "https://github.com/dompdf/dompdf/security/advisories/GHSA-3cw5-7cxw-v5qg"
            },
            {
              "name": "https://github.com/dompdf/dompdf/releases/tag/v2.0.2",
              "refsource": "MISC",
              "tags": [
                "Release Notes",
                "Third Party Advisory"
              ],
              "url": "https://github.com/dompdf/dompdf/releases/tag/v2.0.2"
            },
            {
              "name": "https://github.com/dompdf/dompdf/commit/7558f07f693b2ac3266089f21051e6b78c6a0c85",
              "refsource": "MISC",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/dompdf/dompdf/commit/7558f07f693b2ac3266089f21051e6b78c6a0c85"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 5.9
        }
      },
      "lastModifiedDate": "2023-02-08T22:21Z",
      "publishedDate": "2023-02-01T00:15Z"
    }
  }
}

fkie_cve-2023-23924

Vulnerability from fkie_nvd

Published

2023-02-01 00:15

Modified

2024-11-21 07:47

Severity ?

10.0 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/dompdf/dompdf/commit/7558f07f693b2ac3266089f21051e6b78c6a0c85	Patch, Third Party Advisory
security-advisories@github.com	https://github.com/dompdf/dompdf/releases/tag/v2.0.2	Release Notes, Third Party Advisory
security-advisories@github.com	https://github.com/dompdf/dompdf/security/advisories/GHSA-3cw5-7cxw-v5qg	Exploit, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/dompdf/dompdf/commit/7558f07f693b2ac3266089f21051e6b78c6a0c85	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/dompdf/dompdf/releases/tag/v2.0.2	Release Notes, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/dompdf/dompdf/security/advisories/GHSA-3cw5-7cxw-v5qg	Exploit, Third Party Advisory

Impacted products

	Vendor	Product	Version
	dompdf_project	dompdf	2.0.1

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:dompdf_project:dompdf:2.0.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "A20BA838-5E5B-4CCD-B1DE-4AA444704DE3",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Dompdf is an HTML to PDF converter. The URI validation on dompdf 2.0.1 can be bypassed on SVG parsing by passing `\u003cimage\u003e` tags with uppercase letters. This may lead to arbitrary object unserialize on PHP \u003c 8, through the `phar` URL wrapper. An attacker can exploit the vulnerability to call arbitrary URL with arbitrary protocols, if they can provide a SVG file to dompdf. In PHP versions before 8.0.0, it leads to arbitrary unserialize, that will lead to the very least to an arbitrary file deletion and even remote code execution, depending on classes that are available.\n"
    }
  ],
  "id": "CVE-2023-23924",
  "lastModified": "2024-11-21T07:47:06.630",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 10.0,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 6.0,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2023-02-01T00:15:10.693",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/dompdf/dompdf/commit/7558f07f693b2ac3266089f21051e6b78c6a0c85"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Release Notes",
        "Third Party Advisory"
      ],
      "url": "https://github.com/dompdf/dompdf/releases/tag/v2.0.2"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://github.com/dompdf/dompdf/security/advisories/GHSA-3cw5-7cxw-v5qg"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/dompdf/dompdf/commit/7558f07f693b2ac3266089f21051e6b78c6a0c85"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Release Notes",
        "Third Party Advisory"
      ],
      "url": "https://github.com/dompdf/dompdf/releases/tag/v2.0.2"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://github.com/dompdf/dompdf/security/advisories/GHSA-3cw5-7cxw-v5qg"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-551"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-863"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2023-23924 (GCVE-0-2023-23924)

Vulnerability from cvelistv5

ghsa-3cw5-7cxw-v5qg

Vulnerability from github

Summary

Details

PoC

Impact

gsd-2023-23924

Vulnerability from gsd

fkie_cve-2023-23924

Vulnerability from fkie_nvd

Tags

Sightings

Nomenclature