Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
NA

CVE-2023-45139

Published: 10/01/2024 Updated: 01/05/2024
CVSS v3 Base Score: 7.5 | Impact Score: 3.6 | Exploitability Score: 3.9
VMScore: 0
Subscribe to Fonttools

Vulnerability Summary

fontTools is a library for manipulating fonts, written in Python. The subsetting module has a XML External Entity Injection (XXE) vulnerability which allows an malicious user to resolve arbitrary entities when a candidate font (OT-SVG fonts), which contains a SVG table, is parsed. This allows malicious users to include arbitrary files from the filesystem fontTools is running on or make web requests from the host system. This vulnerability has been patched in version 4.43.0.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

fonttools fonttools

Vendor Advisories

Red Hat:
Description<!----> This CVE is under investigation by Red Hat Product Security ...

Mailing Lists

Full Disclosure: Re: Vulnerabilties in FontTools & FontForge
<!--X-Body-Begin--> <!--X-User-Header--> oss-sec mailing list archives <!--X-User-Header-End--> <!--X-TopPNI--> By Date By Thread </form> <!--X-TopPNI-End--> <!--X-MsgBody--> <!--X-Subject-Header-Begin--> Re: Vulnerabilties in FontTools &amp; FontForge <!--X-Subject-Header-End--> <!--X-Head-of-Message--> From: Hanno Böck &lt;h ...
Full Disclosure: Vulnerabilties in FontTools & FontForge
<!--X-Body-Begin--> <!--X-User-Header--> oss-sec mailing list archives <!--X-User-Header-End--> <!--X-TopPNI--> By Date By Thread </form> <!--X-TopPNI-End--> <!--X-MsgBody--> <!--X-Subject-Header-Begin--> Vulnerabilties in FontTools &amp; FontForge <!--X-Subject-Header-End--> <!--X-Head-of-Message--> From: Alan Coopersmith &lt; ...

Recent Articles

Font security 'still a Helvetica of a problem' says Australian graphics outfit Canva
The Register

Topics Security Off-Prem On-Prem Software Offbeat Special Features Vendor Voice Vendor Voice Resources Who knew that unzipping a font archive could unleash a malicious file

Online graphic design platform Canva went looking for security problems in fonts, and found three – in "strange places." On its engineering blog, the Australian outfit explained it's "continuously looking for ways to uplift the security of [its] processes, software, supply chain, and tools," leading it to the "less explored attack surfaces, such as fonts that present a complex and prevalent part of graphics processing." That effort yielded three type-related vulns. CVE-2023-45139 is a high-sev...

Read more...

References

CWE-611https://github.com/fonttools/fonttools/security/advisories/GHSA-6673-4983-2vx5https://github.com/fonttools/fonttools/commit/9f61271dc1ca82ed91f529b130fe5dc5c9bf1f4chttps://github.com/fonttools/fonttools/releases/tag/4.43.0https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VY63B4SGY4QOQGUXMECRGD6K3YT3GJ75/http://www.openwall.com/lists/oss-security/2024/03/09/1http://www.openwall.com/lists/oss-security/2024/03/08/2https://nvd.nist.govhttps://www.theregister.co.uk/2024/03/08/canva_font_security/https://access.redhat.com/security/cve/cve-2023-45139
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-29895blind SQL injectionCVE-2024-5064CVE-2023-52677CVE-2023-52682CVE-2024-30051CVE-2024-35849remote attackersremote
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook