Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
7.5
CVSSv3

CVE-2023-45139

Published: 10/01/2024 Updated: 01/05/2024
CVSS v3 Base Score: 7.5 | Impact Score: 3.6 | Exploitability Score: 3.9
VMScore: 0

Vulnerability Summary

fontTools is a library for manipulating fonts, written in Python. The subsetting module has a XML External Entity Injection (XXE) vulnerability which allows an malicious user to resolve arbitrary entities when a candidate font (OT-SVG fonts), which contains a SVG table, is parsed. This allows malicious users to include arbitrary files from the filesystem fontTools is running on or make web requests from the host system. This vulnerability has been patched in version 4.43.0.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

fonttools fonttools

Vendor Advisories

Red Hat:
Description<!----> This CVE is under investigation by Red Hat Product Security ...

Mailing Lists

Full Disclosure: Vulnerabilties in FontTools & FontForge
wwwcanvadev/blog/engineering/fonts-are-still-a-helvetica-of-a-problem/ is a detailed blog about vulnerabilities in some open source font handling software It discusses three new vulnerabilities in particular: - CVE-2023-45139 in FontTools versions &gt;=4282, &lt;4430, fixed in 4430 FontTools uses lxml to process SVG tables in ...
Full Disclosure: Re: Vulnerabilties in FontTools & FontForge
Hi, On Fri, 8 Mar 2024 11:06:35 -0800 Alan Coopersmith &lt;alancoopersmith () oracle com&gt; wrote: I was surprised that any library would do this by default in 2024 According to their webpage, lxml does *not* enable external entity expansion by default, but changed the default only very recently lxmlde/FAQhtml#how-do-i-use-lxml-s ...

Recent Articles

Font security 'still a Helvetica of a problem' says Australian graphics outfit Canva
The Register

Topics Security Off-Prem On-Prem Software Offbeat Special Features Vendor Voice Vendor Voice Resources Who knew that unzipping a font archive could unleash a malicious file

Online graphic design platform Canva went looking for security problems in fonts, and found three – in "strange places." On its engineering blog, the Australian outfit explained it's "continuously looking for ways to uplift the security of [its] processes, software, supply chain, and tools," leading it to the "less explored attack surfaces, such as fonts that present a complex and prevalent part of graphics processing." That effort yielded three type-related vulns. CVE-2023-45139 is a high-sev...

Read more...

References

CWE-611https://github.com/fonttools/fonttools/security/advisories/GHSA-6673-4983-2vx5https://github.com/fonttools/fonttools/commit/9f61271dc1ca82ed91f529b130fe5dc5c9bf1f4chttps://github.com/fonttools/fonttools/releases/tag/4.43.0https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VY63B4SGY4QOQGUXMECRGD6K3YT3GJ75/http://www.openwall.com/lists/oss-security/2024/03/09/1http://www.openwall.com/lists/oss-security/2024/03/08/2https://nvd.nist.govhttps://access.redhat.com/security/cve/cve-2023-45139https://www.theregister.co.uk/2024/03/08/canva_font_security/
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-33572CVE-2024-24919CVE-2024-0230CVE-2024-32714HTML injectionlocal file inclusionCVE-2024-31098CVE-2024-31244privilege
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook