CRITICAL🇵🇱 Wersja polska

CVE-2021-3902

CVSS 9.8v3.1pub. 2024-11-15upd. 2024-11-19

An improper restriction of external entities (XXE) vulnerability in dompdf/dompdf's SVG parser allows for Server-Side Request Forgery (SSRF) and deserialization attacks. This issue affects all versions prior to 2.0.0. The vulnerability can be exploited even if the isRemoteEnabled option is set to false. It allows attackers to perform SSRF, disclose internal image files, and cause PHAR deserialization attacks.

🤖 AI Analysis
How it works

The SVG parser in dompdf improperly restricts the processing of external XML entities (XXE), which allows embedding malicious references to external resources in an SVG document. An attacker can thus trigger SSRF requests to the server's internal infrastructure, disclose internal graphic files, and conduct a PHAR deserialization attack by providing an appropriately crafted file. Importantly, the vulnerability is active even when the isRemoteEnabled option is set to false, which contradicts the common belief in the effectiveness of this security measure.

Impact

An attacker can gain unauthorized access to internal network resources (SSRF), disclose sensitive files from the server, and perform a deserialization attack that potentially leads to server takeover (RCE).

Mitigation & patch

The dompdf library should be updated to version 2.0.0 or later. Patch details are available in the vendor references at: https://github.com/dompdf/dompdf/commit/f56bc8e40be6c0ae0825e6c7396f4db80620b799

Who is affected

All versions of the dompdf/dompdf library prior to 2.0.0

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Dompdf Project Dompdf

    APP
    Dompdf Project
    < 2.0.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
SSRFXXEDeserialization
CWE
References

Related vulnerabilities

CVE-2021-3838CRITICAL9.8PL ✓ten sam produkt

RCE przez PHAR deserialization w DomPDF przed wersją 2.0.0

CVE-2023-24813CRITICAL10.0ten sam produkt

Dompdf is an HTML to PDF converter written in php. Due to the difference in the attribute parser of Dompdf and...

CVE-2023-23924CRITICAL10.0ten sam produkt

Dompdf is an HTML to PDF converter. The URI validation on dompdf 2.0.1 can be bypassed on SVG parsing by passi...

CVE-2022-28368CRITICAL9.8ten sam produkt

Dompdf 1.2.1 allows remote code execution via a .php file in the src:url field of an @font-face Cascading Styl...

CVE-2022-41343HIGH7.5ten sam produkt

registerFont in FontMetrics.php in Dompdf before 2.0.1 allows remote file inclusion because a URI validation f...