9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.8 High
AI Score
Confidence
Low
0.001 Low
EPSS
Percentile
41.4%
The remote Debian 12 host has a package installed that is affected by multiple vulnerabilities as referenced in the dsa-5642 advisory.
php-svg-lib is an SVG file parsing / rendering library. Prior to version 0.5.1, when parsing the attributes passed to a use
tag inside an svg document, an attacker can cause the system to go to an infinite recursion. Depending on the system configuration and attack pattern this could exhaust the memory available to the executing process and/or to the server itself. An attacker sending multiple request to a system to render the above payload can potentially cause resource exhaustion to the point that the system is unable to handle incoming request. Version 0.5.1 contains a patch for this issue. (CVE-2023-50251)
php-svg-lib is an SVG file parsing / rendering library. Prior to version 0.5.1, when handling <use>
tag that references an <image>
tag, it merges the attributes from the <use>
tag to the <image>
tag. The problem pops up especially when the href
attribute from the <use>
tag has not been sanitized. This can lead to an unsafe file read that can cause PHAR Deserialization vulnerability in PHP prior to version 8.
Version 0.5.1 contains a patch for this issue. (CVE-2023-50252)
php-svg-lib is a scalable vector graphics (SVG) file parsing/rendering library. Prior to version 0.5.2, php-svg-lib fails to validate that font-family doesn’t contain a PHAR url, which might leads to RCE on PHP < 8.0, and doesn’t validate if external references are allowed. This might leads to bypass of restrictions or RCE on projects that are using it, if they do not strictly revalidate the fontName that is passed by php-svg-lib. The Style::fromAttributes(
), or the Style::parseCssStyle()
should check the content of the font-family
and prevents it to use a PHAR url, to avoid passing an invalid and dangerous fontName
value to other libraries. The same check as done in the Style::fromStyleSheets
might be reused.
Libraries using this library as a dependency might be vulnerable to some bypass of restrictions, or even remote code execution, if they do not double check the value of the fontName
that is passed by php-svg- lib. Version 0.5.2 contains a fix for this issue. (CVE-2024-25117)
Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.
#%NASL_MIN_LEVEL 80900
#
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Debian Security Advisory dsa-5642. The text
# itself is copyright (C) Software in the Public Interest, Inc.
#
include('compat.inc');
if (description)
{
script_id(192309);
script_version("1.0");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/03/20");
script_cve_id("CVE-2023-50251", "CVE-2023-50252", "CVE-2024-25117");
script_name(english:"Debian dsa-5642 : php-dompdf-svg-lib - security update");
script_set_attribute(attribute:"synopsis", value:
"The remote Debian host is missing one or more security-related updates.");
script_set_attribute(attribute:"description", value:
"The remote Debian 12 host has a package installed that is affected by multiple vulnerabilities as referenced in the
dsa-5642 advisory.
- php-svg-lib is an SVG file parsing / rendering library. Prior to version 0.5.1, when parsing the
attributes passed to a `use` tag inside an svg document, an attacker can cause the system to go to an
infinite recursion. Depending on the system configuration and attack pattern this could exhaust the memory
available to the executing process and/or to the server itself. An attacker sending multiple request to a
system to render the above payload can potentially cause resource exhaustion to the point that the system
is unable to handle incoming request. Version 0.5.1 contains a patch for this issue. (CVE-2023-50251)
- php-svg-lib is an SVG file parsing / rendering library. Prior to version 0.5.1, when handling `<use>` tag
that references an `<image>` tag, it merges the attributes from the `<use>` tag to the `<image>` tag. The
problem pops up especially when the `href` attribute from the `<use>` tag has not been sanitized. This can
lead to an unsafe file read that can cause PHAR Deserialization vulnerability in PHP prior to version 8.
Version 0.5.1 contains a patch for this issue. (CVE-2023-50252)
- php-svg-lib is a scalable vector graphics (SVG) file parsing/rendering library. Prior to version 0.5.2,
php-svg-lib fails to validate that font-family doesn't contain a PHAR url, which might leads to RCE on PHP
< 8.0, and doesn't validate if external references are allowed. This might leads to bypass of restrictions
or RCE on projects that are using it, if they do not strictly revalidate the fontName that is passed by
php-svg-lib. The `Style::fromAttributes(`), or the `Style::parseCssStyle()` should check the content of
the `font-family` and prevents it to use a PHAR url, to avoid passing an invalid and dangerous `fontName`
value to other libraries. The same check as done in the `Style::fromStyleSheets` might be reused.
Libraries using this library as a dependency might be vulnerable to some bypass of restrictions, or even
remote code execution, if they do not double check the value of the `fontName` that is passed by php-svg-
lib. Version 0.5.2 contains a fix for this issue. (CVE-2024-25117)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
# https://security-tracker.debian.org/tracker/source-package/php-dompdf-svg-lib
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?3d322688");
script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2023-50251");
script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2023-50252");
script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2024-25117");
script_set_attribute(attribute:"see_also", value:"https://packages.debian.org/source/bookworm/php-dompdf-svg-lib");
script_set_attribute(attribute:"solution", value:
"Upgrade the php-dompdf-svg-lib packages.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2023-50252");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2023/12/12");
script_set_attribute(attribute:"patch_publication_date", value:"2024/03/20");
script_set_attribute(attribute:"plugin_publication_date", value:"2024/03/20");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php-dompdf-svg-lib");
script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:12.0");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Debian Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
exit(0);
}
include('debian_package.inc');
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
var debian_release = get_kb_item('Host/Debian/release');
if ( isnull(debian_release) ) audit(AUDIT_OS_NOT, 'Debian');
debian_release = chomp(debian_release);
if (! preg(pattern:"^(12)\.[0-9]+", string:debian_release)) audit(AUDIT_OS_NOT, 'Debian 12.0', 'Debian ' + debian_release);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Debian', cpu);
var pkgs = [
{'release': '12.0', 'prefix': 'php-dompdf-svg-lib', 'reference': '0.5.0-3+deb12u1'}
];
var flag = 0;
foreach package_array ( pkgs ) {
var _release = NULL;
var prefix = NULL;
var reference = NULL;
if (!empty_or_null(package_array['release'])) _release = package_array['release'];
if (!empty_or_null(package_array['prefix'])) prefix = package_array['prefix'];
if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
if (_release && prefix && reference) {
if (deb_check(release:_release, prefix:prefix, reference:reference)) flag++;
}
}
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_HOLE,
extra : deb_report_get()
);
exit(0);
}
else
{
var tested = deb_pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'php-dompdf-svg-lib');
}
Vendor | Product | Version | CPE |
---|---|---|---|
debian | debian_linux | php-dompdf-svg-lib | p-cpe:/a:debian:debian_linux:php-dompdf-svg-lib |
debian | debian_linux | 12.0 | cpe:/o:debian:debian_linux:12.0 |
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-50251
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-50252
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25117
www.nessus.org/u?3d322688
packages.debian.org/source/bookworm/php-dompdf-svg-lib
security-tracker.debian.org/tracker/CVE-2023-50251
security-tracker.debian.org/tracker/CVE-2023-50252
security-tracker.debian.org/tracker/CVE-2024-25117
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.8 High
AI Score
Confidence
Low
0.001 Low
EPSS
Percentile
41.4%