CVE-2022-41343
HIGH7.5EPSS 54.0%Dompdf allows remote file inclusion because URI validation failure does not halt font registration
Published: 9/26/2022Modified: 2/16/2024
Description
`registerFont` in `FontMetrics.php` in Dompdf before 2.0.1 allows remote file inclusion because a URI validation failure does not halt font registration, as demonstrated by a `@font-face` rule.
Affected packages (1)
- Packagist/dompdf/dompdffrom 0, < 2.0.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
References (9)
- ADVISORYhttps://github.com/advisories/GHSA-6x28-7h8c-chx4
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2022-41343
- PATCHhttps://github.com/dompdf/dompdf
- WEBhttps://github.com/dompdf/dompdf/commit/66431c58017d5b1bdb9f6f772b9fbbc5e3d38dc2
- WEBhttps://github.com/dompdf/dompdf/issues/2994
- WEBhttps://github.com/dompdf/dompdf/pull/2995
- WEBhttps://github.com/dompdf/dompdf/releases/tag/v2.0.1
- WEBhttps://github.com/FriendsOfPHP/security-advisories/blob/master/dompdf/dompdf/CVE-2022-41343.yaml
- WEBhttps://tantosec.com/blog/cve-2022-41343