Published: 20/03/2023 Updated: 23/03/2023

CVSS v3 Base Score: 7.1 | Impact Score: 5.2 | Exploitability Score: 1.8

VMScore: 0

CairoSVG is an SVG converter based on Cairo, a 2D graphics library. Prior to version 2.7.0, Cairo can send requests to external hosts when processing SVG files. A malicious actor could send a specially crafted SVG file that allows them to perform a server-side request forgery or denial of service. Version 2.7.0 disables CairoSVG's ability to access other files online by default.

Vulnerable Product	Search on Vulmon	Subscribe to Product
courtbouillon cairosvg

Debian Bug report logs - #1033295 cairosvg: CVE-2023-27586: SSRF & DOS vulnerability Package: src:cairosvg; Maintainer for src:cairosvg is Debian Python Team <team+python@trackerdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Tue, 21 Mar 2023 19:45:02 UTC Severity: grave Tags: security, ...

It was reported that cairosvg, a SVG converter based on Cairo, can send requests to external hosts when processing specially crafted SVG files with external file resource loading An attacker can take advantage of this flaw to perform a server-side request forgery or denial of service Fetching of external files is disabled by default with this upd ...

CWE-918 https://github.com/Kozea/CairoSVG/releases/tag/2.7.0 https://github.com/Kozea/CairoSVG/security/advisories/GHSA-rwmf-w63j-p7gv https://github.com/Kozea/CairoSVG/commit/12d31c653c0254fa9d9853f66b04ea46e7397255 https://github.com/Kozea/CairoSVG/commit/33007d4af9195e2bfb2ff9af064c4c2d8e4b2b53 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033295 https://nvd.nist.gov https://www.debian.org/security/2023/dsa-5382

CVE-2023-27586

Vulnerability Summary

Vendor Advisories

References

Vulmon Search

About

Products

Connect