CVE-2022-41343
HIGH7.5EPSS 54.0%Dompdf allows remote file inclusion because URI validation failure does not halt font registration
發布日:2022/9/26修改日:2024/2/16
描述
`registerFont` in `FontMetrics.php` in Dompdf before 2.0.1 allows remote file inclusion because a URI validation failure does not halt font registration, as demonstrated by a `@font-face` rule.
受影響套件(1)
- Packagist/dompdf/dompdffrom 0, < 2.0.1
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
參考連結(9)
- ADVISORYhttps://github.com/advisories/GHSA-6x28-7h8c-chx4
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2022-41343
- PATCHhttps://github.com/dompdf/dompdf
- WEBhttps://github.com/dompdf/dompdf/commit/66431c58017d5b1bdb9f6f772b9fbbc5e3d38dc2
- WEBhttps://github.com/dompdf/dompdf/issues/2994
- WEBhttps://github.com/dompdf/dompdf/pull/2995
- WEBhttps://github.com/dompdf/dompdf/releases/tag/v2.0.1
- WEBhttps://github.com/FriendsOfPHP/security-advisories/blob/master/dompdf/dompdf/CVE-2022-41343.yaml
- WEBhttps://tantosec.com/blog/cve-2022-41343