CVE-2023-23924

Dompdf is an HTML to PDF converter. The URI validation on dompdf 2.0.1 can be bypassed on SVG parsing by passing `<image>` tags with uppercase letters. This may lead to arbitrary object unserialize on PHP < 8, through the `phar` URL wrapper. An attacker can exploit the vulnerability to call arbitrary URL with arbitrary protocols, if they can provide a SVG file to dompdf. In PHP versions before 8.0.0, it leads to arbitrary unserialize, that will lead to the very least to an arbitrary file deletion and even remote code execution, depending on classes that are available.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/dompdf/dompdf/commit/7558f07f693b2ac3266089f21051e6b78c6a0c85	Patch Third Party Advisory
https://github.com/dompdf/dompdf/releases/tag/v2.0.2	Release Notes Third Party Advisory
https://github.com/dompdf/dompdf/security/advisories/GHSA-3cw5-7cxw-v5qg	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:dompdf_project:dompdf:2.0.1:*:*:*:*:*:*:*

History

01 Feb 2023, 13:25

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-02-01 00:15

Updated : 2024-02-04 23:14

NVD link : CVE-2023-23924

Mitre link : CVE-2023-23924

CVE.ORG link : CVE-2023-23924

JSON object : View

Products Affected

dompdf_project

dompdf

CWE

CWE-863

Incorrect Authorization

CWE-551

Incorrect Behavior Order: Authorization Before Parsing and Canonicalization

{"id": "CVE-2023-23924", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 10.0, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:H", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 3.9}]}, "published": "2023-02-01T00:15:10.693", "references": [{"url": "https://github.com/dompdf/dompdf/commit/7558f07f693b2ac3266089f21051e6b78c6a0c85", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/dompdf/dompdf/releases/tag/v2.0.2", "tags": ["Release Notes", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/dompdf/dompdf/security/advisories/GHSA-3cw5-7cxw-v5qg", "tags": ["Exploit", "Third Party Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-863"}]}, {"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-551"}]}], "descriptions": [{"lang": "en", "value": "Dompdf is an HTML to PDF converter. The URI validation on dompdf 2.0.1 can be bypassed on SVG parsing by passing `<image>` tags with uppercase letters. This may lead to arbitrary object unserialize on PHP < 8, through the `phar` URL wrapper. An attacker can exploit the vulnerability to call arbitrary URL with arbitrary protocols, if they can provide a SVG file to dompdf. In PHP versions before 8.0.0, it leads to arbitrary unserialize, that will lead to the very least to an arbitrary file deletion and even remote code execution, depending on classes that are available.\n"}], "lastModified": "2023-11-07T04:08:06.033", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:dompdf_project:dompdf:2.0.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A20BA838-5E5B-4CCD-B1DE-4AA444704DE3"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}