CVE-2023-38633

medium

Description

A directory traversal problem in the URL decoder of librsvg before 2.56.3 could be used by local or remote attackers to disclose files (on the local filesystem outside of the expected area), as demonstrated by href=".?../../../../../../../../../../etc/passwd" in an xi:include element.

References

https://www.debian.org/security/2023/dsa-5484

https://www.canva.dev/blog/engineering/when-url-parsers-disagree-cve-2023-38633/

https://security.netapp.com/advisory/ntap-20230831-0011/

https://news.ycombinator.com/item?id=37415799

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R5BCXT5GW6RCL45ZUHUZR4CJG2BAFDVC/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/422NTIHIEBRASIG2DWXYBH4ADYMHY626/

https://gitlab.gnome.org/GNOME/librsvg/-/releases/2.56.3

https://gitlab.gnome.org/GNOME/librsvg/-/issues/996

https://bugzilla.suse.com/show_bug.cgi?id=1213502

http://www.openwall.com/lists/oss-security/2023/09/06/10

http://www.openwall.com/lists/oss-security/2023/07/27/1

http://seclists.org/fulldisclosure/2023/Jul/43

Details

Source: Mitre, NVD

Published: 2023-07-22

Updated: 2024-01-24

Risk Information

CVSS v2

Base Score: 4.6

Vector: CVSS2#AV:L/AC:L/Au:S/C:C/I:N/A:N

Severity: Medium

CVSS v3

Base Score: 5.5

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Severity: Medium