ALT-PU-2023-4802-2
Closed vulnerabilities
Published: 2023-07-22
Modified: 2024-11-21
Modified: 2024-11-21
CVE-2023-38633
A directory traversal problem in the URL decoder of librsvg before 2.56.3 could be used by local or remote attackers to disclose files (on the local filesystem outside of the expected area), as demonstrated by href=".?../../../../../../../../../../etc/passwd" in an xi:include element.
Severity: MEDIUM (5.5)
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
References:
- 20230724 APPLE-SA-2023-07-24-1 Safari 16.6
- 20230724 APPLE-SA-2023-07-24-1 Safari 16.6
- [oss-security] 20230727 CVE-2023-38633 in librsvg: Arbitrary file read when xinclude href has special characters
- [oss-security] 20230727 CVE-2023-38633 in librsvg: Arbitrary file read when xinclude href has special characters
- [oss-security] 20230906 Re: CVE-2023-38633 in librsvg: Arbitrary file read when xinclude href has special characters
- [oss-security] 20230906 Re: CVE-2023-38633 in librsvg: Arbitrary file read when xinclude href has special characters
- https://bugzilla.suse.com/show_bug.cgi?id=1213502
- https://bugzilla.suse.com/show_bug.cgi?id=1213502
- https://gitlab.gnome.org/GNOME/librsvg/-/issues/996
- https://gitlab.gnome.org/GNOME/librsvg/-/issues/996
- https://gitlab.gnome.org/GNOME/librsvg/-/releases/2.56.3
- https://gitlab.gnome.org/GNOME/librsvg/-/releases/2.56.3
- FEDORA-2023-0873c38acd
- FEDORA-2023-0873c38acd
- FEDORA-2023-fc79ee273d
- FEDORA-2023-fc79ee273d
- https://news.ycombinator.com/item?id=37415799
- https://news.ycombinator.com/item?id=37415799
- https://security.netapp.com/advisory/ntap-20230831-0011/
- https://security.netapp.com/advisory/ntap-20230831-0011/
- https://www.canva.dev/blog/engineering/when-url-parsers-disagree-cve-2023-38633/
- https://www.canva.dev/blog/engineering/when-url-parsers-disagree-cve-2023-38633/
- DSA-5484
- DSA-5484