← Back

CVE-2023-38633

nvd nist
Published: Jul 22, 2023Modified: Nov 21, 2024

JSON object

Loading...
5.5
Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Exploitability: 1.8 / Impact: 3.6
Source: NVD

Description

A directory traversal problem in the URL decoder of librsvg before 2.56.3 could be used by local or remote attackers to disclose files (on the local filesystem outside of the expected area), as demonstrated by href=".?../../../../../../../../../../etc/passwd" in an xi:include element.

Affected (11)

Gnome
1 product
Librsvg
Fedoraproject
1 product
Fedora
Debian
1 product
Debian Linux
Configuration A
7 vulnerable
Vulnerable SoftwareAffected Versions
Gnome
Librsvg
From 2.42.3 to 2.46.6
Librsvg
From 2.48.0 to 2.48.11
Librsvg
From 2.50.0 to 2.50.8
Librsvg
From 2.52.0 to 2.52.10
Librsvg
From 2.54.0 to 2.54.6
Librsvg
From 2.55.0 to 2.55.3
Librsvg
From 2.56.0 to 2.56.3
Configuration B
2 vulnerable
Vulnerable SoftwareAffected Versions
Fedoraproject
Fedora
Version 37
Fedora
Version 38
Configuration C
2 vulnerable
Vulnerable SoftwareAffected Versions
Debian
Debian Linux
Version 11.0
Debian Linux
Version 12.0

Related CWEs

CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

References (24)

Source: cve@mitre.org
Mailing ListNot ApplicableThird Party Advisory
Source: cve@mitre.org
ExploitMailing ListThird Party Advisory
Source: cve@mitre.org
Mailing List
Source: cve@mitre.org
Issue TrackingPatchThird Party Advisory
Source: cve@mitre.org
ExploitIssue TrackingVendor Advisory
Source: cve@mitre.org
Release Notes
Source: cve@mitre.org
Third Party Advisory
Source: cve@mitre.org
Third Party Advisory
Source: cve@mitre.org
Issue TrackingThird Party Advisory
Source: cve@mitre.org
Third Party Advisory
Source: cve@mitre.org
ExploitTechnical DescriptionThird Party Advisory
Source: cve@mitre.org
Third Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Mailing ListNot ApplicableThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
ExploitMailing ListThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Mailing List
Source: af854a3a-2127-422b-91ae-364da2661108
Issue TrackingPatchThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
ExploitIssue TrackingVendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Release Notes
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Issue TrackingThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
ExploitTechnical DescriptionThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory

Timeline

No history available yet.