CVE-2019-20446

Published: Feb 2, 2020Modified: Nov 21, 2024

6.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Exploitability: 2.8 / Impact: 3.6

Source: NVD

Description

In xml.rs in GNOME librsvg before 2.46.2, a crafted SVG file with nested patterns can cause denial of service when passed to the library for processing. The attacker constructs pattern elements so that the number of final rendered objects grows exponentially.

Affected (10)

Products: Gnome: Librsvg · Opensuse: Leap · Fedoraproject: Fedora · +3 more

Show all products

Gnome: Librsvg · Opensuse: Leap · Fedoraproject: Fedora · Debian: Debian Linux · Canonical: Ubuntu Linux · Netapp: Active Iq Unified Manager

1 product

1 product

1 product

1 product

1 product

1 product

Active Iq Unified Manager

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
Gnome Librsvg	Before 2.40.21
Gnome Librsvg	From 2.42.0 to 2.42.8
Gnome Librsvg	From 2.44.0 to 2.44.16

Configuration B

1 vulnerable

Vulnerable Software	Affected Versions
Opensuse Leap	Version 15.1

Configuration C

2 vulnerable

Vulnerable Software	Affected Versions
Fedoraproject Fedora	Version 30
Fedoraproject Fedora	Version 31

Configuration D

1 vulnerable

Vulnerable Software	Affected Versions
Debian Debian Linux	Version 9.0

Configuration E

2 vulnerable

Vulnerable Software	Affected Versions
Canonical Ubuntu Linux	Version 16.04
Canonical Ubuntu Linux	Version 18.04

Configuration F

1 vulnerable

Vulnerable Software	Affected Versions
Netapp Active Iq Unified Manager	All versions

Related CWEs

Uncontrolled Resource Consumption

The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

References (14)

http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00024.html

Source: cve@mitre.org

Mailing ListThird Party Advisory

https://gitlab.gnome.org/GNOME/librsvg/issues/515

Source: cve@mitre.org

Vendor Advisory

https://lists.debian.org/debian-lts-announce/2020/07/msg00016.html

Source: cve@mitre.org

Mailing ListThird Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6IOHSO6BUKC6I66J5PZOMAGFVJ66ZS57/

Source: cve@mitre.org

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X3B5RWJQD5LA45MYLLR55KZJOJ5NVZGP/

Source: cve@mitre.org

https://security.netapp.com/advisory/ntap-20221111-0004/

Source: cve@mitre.org

Third Party Advisory

https://usn.ubuntu.com/4436-1/

Source: cve@mitre.org

Third Party Advisory

http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00024.html

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

https://gitlab.gnome.org/GNOME/librsvg/issues/515

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

https://lists.debian.org/debian-lts-announce/2020/07/msg00016.html

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6IOHSO6BUKC6I66J5PZOMAGFVJ66ZS57/

Source: af854a3a-2127-422b-91ae-364da2661108

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X3B5RWJQD5LA45MYLLR55KZJOJ5NVZGP/

Source: af854a3a-2127-422b-91ae-364da2661108

https://security.netapp.com/advisory/ntap-20221111-0004/

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://usn.ubuntu.com/4436-1/

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.