中危 解释冲突

CVE编号

CVE-2023-24813

利用情况

暂无

补丁情况

官方补丁

披露时间

2023-02-08

漏洞描述

Dompdf is an HTML to PDF converter written in php. Due to the difference in the attribute parser of Dompdf and php-svg-lib, an attacker can still call arbitrary URLs with arbitrary protocols. Dompdf parses the href attribute of `image` tags and respects `xlink:href` even if `href` is specified. However, php-svg-lib, which is later used to parse the svg file, parses the href attribute. Since `href` is respected if both `xlink:href` and `href` is specified, it's possible to bypass the protection on the Dompdf side by providing an empty `xlink:href` attribute. An attacker can exploit the vulnerability to call arbitrary URLs with arbitrary protocols if they provide an SVG file to the Dompdf. In PHP versions before 8.0.0, it leads to arbitrary unserialize, which will lead, at the very least, to arbitrary file deletion and might lead to remote code execution, depending on available classes. This vulnerability has been addressed in commit `95009ea98` which has been included in release version 2.0.3. Users are advised to upgrade. There are no known workarounds for this vulnerability.

解决建议

建议您更新当前系统或软件至最新版，完成漏洞的修复。

参考链接
https://github.com/dompdf/dompdf/commit/95009ea98230f9b084b040c34e3869ef3dccc9aa
https://github.com/dompdf/dompdf/security/advisories/GHSA-56gj-mvh6-rp75

受影响软件情况

#	类型	厂商	产品	版本	影响面
1
	运行在以下环境
	应用	dompdf_project	dompdf	2.0.2	-
	运行在以下环境
	系统	debian_10	php-dompdf	*		Up to (excluding) 0.6.2+dfsg-3
	运行在以下环境
	系统	debian_11	php-dompdf	*		Up to (excluding) 0.6.2+dfsg-3.1
	运行在以下环境
	系统	debian_12	php-dompdf	*		Up to (excluding) 2.0.3+dfsg-1
	运行在以下环境
	系统	debian_sid	php-dompdf	*		Up to (excluding) 2.0.3+dfsg-1

阿里云评分 6.7

• 攻击路径 远程
• 攻击复杂度 容易
• 权限要求 无需权限
• 影响范围 全局影响
• EXP成熟度 未验证
• 补丁情况 官方补丁
• 数据保密性 数据泄露
• 数据完整性 无影响
• 服务器危害 无影响
• 全网数量 N/A

CWE-ID	漏洞类型
CWE-436	解释冲突

Exp相关链接

- avd.aliyun.com