CVE-2022-41343

Published: Sep 25, 2022Modified: May 22, 2025

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

registerFont in FontMetrics.php in Dompdf before 2.0.1 allows remote file inclusion because a URI validation failure does not halt font registration, as demonstrated by a @font-face rule.

Affected (1)

Products: Dompdf Project: Dompdf

Dompdf Project

1 product

Dompdf

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Dompdf Project Dompdf	Before 2.0.1

Related CWEs

CWE-552

Files or Directories Accessible to External Parties

The product makes files or directories accessible to unauthorized actors, even though they should not be.

References (9)

https://github.com/dompdf/dompdf/issues/2994

Source: cve@mitre.org

ExploitIssue TrackingPatchThird Party Advisory

https://github.com/dompdf/dompdf/pull/2995

Source: cve@mitre.org

PatchThird Party Advisory

https://github.com/dompdf/dompdf/releases/tag/v2.0.1

Source: cve@mitre.org

Release NotesThird Party Advisory

https://tantosec.com/blog/cve-2022-41343/

Source: cve@mitre.org

ExploitThird Party Advisory

https://github.com/dompdf/dompdf/issues/2994

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitIssue TrackingPatchThird Party Advisory

https://github.com/dompdf/dompdf/pull/2995

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://github.com/dompdf/dompdf/releases/tag/v2.0.1

Source: af854a3a-2127-422b-91ae-364da2661108

Release NotesThird Party Advisory

https://tantosec.com/blog/cve-2022-41343/

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

https://tantosec.com/blog/cve-2022-41343/

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

ExploitThird Party Advisory

Timeline

No history available yet.