{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-50262", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-12-05T20:42:59.379Z", "datePublished": "2023-12-13T20:52:56.173Z", "dateUpdated": "2024-08-02T22:16:46.642Z"}, "containers": {"cna": {"title": "Dompdf possible DoS caused by infinite recursion when parsing SVG images", "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "lang": "en", "description": "CWE-20: Improper Input Validation", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-674", "lang": "en", "description": "CWE-674: Uncontrolled Recursion", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/dompdf/dompdf/security/advisories/GHSA-3qx2-6f78-w2j2", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/dompdf/dompdf/security/advisories/GHSA-3qx2-6f78-w2j2"}, {"name": "https://github.com/dompdf/dompdf/commit/41cbac16f3cf56affa49f06e8dae66d0eac2b593", "tags": ["x_refsource_MISC"], "url": "https://github.com/dompdf/dompdf/commit/41cbac16f3cf56affa49f06e8dae66d0eac2b593"}, {"name": "https://github.com/dompdf/dompdf/blob/v2.0.3/src/Image/Cache.php#L136-L153", "tags": ["x_refsource_MISC"], "url": "https://github.com/dompdf/dompdf/blob/v2.0.3/src/Image/Cache.php#L136-L153"}], "affected": [{"vendor": "dompdf", "product": "dompdf", "versions": [{"version": "< 2.0.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-12-13T20:52:56.173Z"}, "descriptions": [{"lang": "en", "value": "Dompdf is an HTML to PDF converter for PHP. When parsing SVG images Dompdf performs an initial validation to ensure that paths within the SVG are allowed. One of the validations is that the SVG document does not reference itself. However, prior to version 2.0.4, a recursive chained using two or more SVG documents is not correctly validated. Depending on the system configuration and attack pattern this could exhaust the memory available to the executing process and/or to the server itself.\n\nphp-svg-lib, when run in isolation, does not support SVG references for `image` elements. However, when used in combination with Dompdf, php-svg-lib will process SVG images referenced by an `image` element. Dompdf currently includes validation to prevent self-referential `image` references, but a chained reference is not checked. A malicious actor may thus trigger infinite recursion by chaining references between two or more SVG images.\n\nWhen Dompdf parses a malicious payload, it will crash due after exceeding the allowed execution time or memory usage. An attacker sending multiple request to a system can potentially cause resource exhaustion to the point that the system is unable to handle incoming request.\n\nVersion 2.0.4 contains a fix for this issue."}], "source": {"advisory": "GHSA-3qx2-6f78-w2j2", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T22:16:46.642Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/dompdf/dompdf/security/advisories/GHSA-3qx2-6f78-w2j2", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/dompdf/dompdf/security/advisories/GHSA-3qx2-6f78-w2j2"}, {"name": "https://github.com/dompdf/dompdf/commit/41cbac16f3cf56affa49f06e8dae66d0eac2b593", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/dompdf/dompdf/commit/41cbac16f3cf56affa49f06e8dae66d0eac2b593"}, {"name": "https://github.com/dompdf/dompdf/blob/v2.0.3/src/Image/Cache.php#L136-L153", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/dompdf/dompdf/blob/v2.0.3/src/Image/Cache.php#L136-L153"}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:dompdf_project:dompdf:*:*:*:*:*:*:*:*", "matchCriteriaId": "19911C76-C061-445A-BB47-77C6DB04F42A", "versionEndIncluding": "2.0.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Dompdf is an HTML to PDF converter for PHP. When parsing SVG images Dompdf performs an initial validation to ensure that paths within the SVG are allowed. One of the validations is that the SVG document does not reference itself. However, prior to version 2.0.4, a recursive chained using two or more SVG documents is not correctly validated. Depending on the system configuration and attack pattern this could exhaust the memory available to the executing process and/or to the server itself.\n\nphp-svg-lib, when run in isolation, does not support SVG references for `image` elements. However, when used in combination with Dompdf, php-svg-lib will process SVG images referenced by an `image` element. Dompdf currently includes validation to prevent self-referential `image` references, but a chained reference is not checked. A malicious actor may thus trigger infinite recursion by chaining references between two or more SVG images.\n\nWhen Dompdf parses a malicious payload, it will crash due after exceeding the allowed execution time or memory usage. An attacker sending multiple request to a system can potentially cause resource exhaustion to the point that the system is unable to handle incoming request.\n\nVersion 2.0.4 contains a fix for this issue."}, {"lang": "es", "value": "Dompdf es un conversor de HTML a PDF para PHP. Al analizar im\u00e1genes SVG, Dompdf realiza una validaci\u00f3n inicial para garantizar que las rutas dentro del SVG est\u00e9n permitidas. Una de las validaciones es que el documento SVG no hace referencia a s\u00ed mismo. Sin embargo, antes de la versi\u00f3n 2.0.4, un encadenado recursivo que utiliza dos o m\u00e1s documentos SVG no se valida correctamente. Dependiendo de la configuraci\u00f3n del sistema y del patr\u00f3n de ataque, esto podr\u00eda agotar la memoria disponible para el proceso en ejecuci\u00f3n y/o para el propio servidor. php-svg-lib, cuando se ejecuta de forma aislada, no admite referencias SVG para elementos de \"imagen\". Sin embargo, cuando se usa en combinaci\u00f3n con Dompdf, php-svg-lib procesar\u00e1 im\u00e1genes SVG a las que hace referencia un elemento `image`. Dompdf actualmente incluye validaci\u00f3n para evitar referencias de \"imagen\" autorreferenciales, pero no se verifica una referencia encadenada. Por lo tanto, un actor malicioso puede desencadenar una recursividad infinita encadenando referencias entre dos o m\u00e1s im\u00e1genes SVG. Cuando Dompdf analiza un payload malicioso, se bloquear\u00e1 despu\u00e9s de exceder el tiempo de ejecuci\u00f3n permitido o el uso de memoria. Un atacante que env\u00eda varias solicitudes a un sistema puede provocar el agotamiento de los recursos hasta el punto de que el sistema no pueda manejar las solicitudes entrantes. La versi\u00f3n 2.0.4 contiene una soluci\u00f3n para este problema."}], "id": "CVE-2023-50262", "lastModified": "2024-11-21T08:36:46.420", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-12-13T21:15:09.117", "references": [{"source": "security-advisories@github.com", "tags": ["Product"], "url": "https://github.com/dompdf/dompdf/blob/v2.0.3/src/Image/Cache.php#L136-L153"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/dompdf/dompdf/commit/41cbac16f3cf56affa49f06e8dae66d0eac2b593"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/dompdf/dompdf/security/advisories/GHSA-3qx2-6f78-w2j2"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Product"], "url": "https://github.com/dompdf/dompdf/blob/v2.0.3/src/Image/Cache.php#L136-L153"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/dompdf/dompdf/commit/41cbac16f3cf56affa49f06e8dae66d0eac2b593"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/dompdf/dompdf/security/advisories/GHSA-3qx2-6f78-w2j2"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-674"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}