Summary
| Detail | |||
|---|---|---|---|
| Vendor | Gnome | First view | 2012-09-05 |
| Product | Librsvg | Last view | 2023-07-22 |
| Version | 2.26.1 | Type | Application |
| Update | * | ||
| Edition | * | ||
| Language | * | ||
| Sofware Edition | * | ||
| Target Software | * | ||
| Target Hardware | * | ||
| Other | * | ||
| CPE Product | cpe:2.3:a:gnome:librsvg | ||
Activity : Overall
Related : CVE
| Date | Alert | Description | |
|---|---|---|---|
| 5.5 | 2023-07-22 | CVE-2023-38633 | A directory traversal problem in the URL decoder of librsvg before 2.56.3 could be used by local or remote attackers to disclose files (on the local filesystem outside of the expected area), as demonstrated by href=".?../../../../../../../../../../etc/passwd" in an xi:include element. |
| 6.5 | 2020-02-02 | CVE-2019-20446 | In xml.rs in GNOME librsvg before 2.46.2, a crafted SVG file with nested patterns can cause denial of service when passed to the library for processing. The attacker constructs pattern elements so that the number of final rendered objects grows exponentially. |
| 8.8 | 2018-02-09 | CVE-2018-1000041 | GNOME librsvg version before commit c6ddf2ed4d768fd88adbea2b63f575cd523022ea contains a Improper input validation vulnerability in rsvg-io.c that can result in the victim's Windows username and NTLM password hash being leaked to remote attackers through SMB. This attack appear to be exploitable via The victim must process a specially crafted SVG file containing an UNC path on Windows. |
| 7.5 | 2016-05-20 | CVE-2016-4348 | The _rsvg_css_normalize_font_size function in librsvg 2.40.2 allows context-dependent attackers to cause a denial of service (stack consumption and application crash) via circular definitions in an SVG document. |
| 7.5 | 2016-05-20 | CVE-2015-7558 | librsvg before 2.40.12 allows context-dependent attackers to cause a denial of service (infinite loop, stack consumption, and application crash) via cyclic references in an SVG document. |
| 7.5 | 2016-05-20 | CVE-2015-7557 | The _rsvg_node_poly_build_path function in rsvg-shapes.c in librsvg before 2.40.7 allows context-dependent attackers to cause a denial of service (out-of-bounds heap read) via an odd number of elements in a coordinate pair in an SVG document. |
| 4.3 | 2013-10-09 | CVE-2013-1881 | GNOME libsvg before 2.39.0 allows remote attackers to read arbitrary files via an XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. |
| 6.8 | 2012-09-05 | CVE-2011-3146 | librsvg before 2.34.1 uses the node name to identify the type of node, which allows context-dependent attackers to cause a denial of service (NULL pointer dereference) and possibly execute arbitrary code via a SVG file with a node with the element name starting with "fe," which is misidentified as a RsvgFilterPrimitive. |
CWE : Common Weakness Enumeration
| % | id | Name |
|---|---|---|
| 66% (4) | CWE-20 | Improper Input Validation |
| 16% (1) | CWE-400 | Uncontrolled Resource Consumption ('Resource Exhaustion') |
| 16% (1) | CWE-22 | Improper Limitation of a Pathname to a Restricted Directory ('Path ... |
Open Source Vulnerability Database (OSVDB)
| id | Description |
|---|---|
| 75270 | librsvg Node Type SVG Image Handling Remote DoS |
OpenVAS Exploits
| id | Description |
|---|---|
| 2012-07-09 | Name : RedHat Update for librsvg2 RHSA-2011:1289-01 File : nvt/gb_RHSA-2011_1289-01_librsvg2.nasl |
| 2012-04-02 | Name : Fedora Update for librsvg2 FEDORA-2011-12312 File : nvt/gb_fedora_2011_12312_librsvg2_fc16.nasl |
| 2011-09-23 | Name : Fedora Update for librsvg2 FEDORA-2011-12301 File : nvt/gb_fedora_2011_12301_librsvg2_fc14.nasl |
| 2011-09-16 | Name : Ubuntu Update for librsvg USN-1206-1 File : nvt/gb_ubuntu_USN_1206_1.nasl |
| 2011-09-12 | Name : Fedora Update for librsvg2 FEDORA-2011-12271 File : nvt/gb_fedora_2011_12271_librsvg2_fc15.nasl |
Nessus® Vulnerability Scanner
| id | Description |
|---|---|
| 2018-02-13 | Name: The remote Debian host is missing a security update. File: debian_DLA-1278.nasl - Type: ACT_GATHER_INFO |
| 2017-08-08 | Name: The remote EulerOS host is missing a security update. File: EulerOS_SA-2017-1137.nasl - Type: ACT_GATHER_INFO |
| 2017-08-08 | Name: The remote EulerOS host is missing a security update. File: EulerOS_SA-2017-1136.nasl - Type: ACT_GATHER_INFO |
| 2016-05-20 | Name: The remote openSUSE host is missing a security update. File: openSUSE-2016-608.nasl - Type: ACT_GATHER_INFO |
| 2016-05-20 | Name: The remote Debian host is missing a security-related update. File: debian_DSA-3584.nasl - Type: ACT_GATHER_INFO |
| 2016-05-18 | Name: The remote Debian host is missing a security update. File: debian_DLA-477.nasl - Type: ACT_GATHER_INFO |
| 2016-01-20 | Name: The remote Debian host is missing a security update. File: debian_DLA-395.nasl - Type: ACT_GATHER_INFO |
| 2015-12-22 | Name: The remote FreeBSD host is missing a security-related update. File: freebsd_pkg_da634091a84a11e58f5c002590263bf5.nasl - Type: ACT_GATHER_INFO |
| 2015-12-22 | Name: The remote FreeBSD host is missing a security-related update. File: freebsd_pkg_d6c51737a84b11e58f5c002590263bf5.nasl - Type: ACT_GATHER_INFO |
| 2015-10-22 | Name: The remote SUSE host is missing one or more security updates. File: suse_SU-2015-1785-1.nasl - Type: ACT_GATHER_INFO |
| 2015-01-19 | Name: The remote Solaris system is missing a security patch for third-party software. File: solaris11_librsvg_20120626.nasl - Type: ACT_GATHER_INFO |
| 2014-06-13 | Name: The remote openSUSE host is missing a security update. File: suse_11_4_gdk-pixbuf-loader-rsvg-110920.nasl - Type: ACT_GATHER_INFO |
| 2014-06-13 | Name: The remote openSUSE host is missing a security update. File: suse_11_3_gdk-pixbuf-loader-rsvg-110916.nasl - Type: ACT_GATHER_INFO |
| 2014-06-13 | Name: The remote openSUSE host is missing a security update. File: openSUSE-2013-912.nasl - Type: ACT_GATHER_INFO |
| 2014-03-18 | Name: The remote Ubuntu host is missing a security-related patch. File: ubuntu_USN-2149-2.nasl - Type: ACT_GATHER_INFO |
| 2014-03-18 | Name: The remote Ubuntu host is missing a security-related patch. File: ubuntu_USN-2149-1.nasl - Type: ACT_GATHER_INFO |
| 2014-02-04 | Name: The remote CentOS host is missing one or more security updates. File: centos_RHSA-2014-0127.nasl - Type: ACT_GATHER_INFO |
| 2014-02-04 | Name: The remote Scientific Linux host is missing one or more security updates. File: sl_20140203_librsvg2_on_SL6_x.nasl - Type: ACT_GATHER_INFO |
| 2014-02-04 | Name: The remote Red Hat host is missing one or more security updates. File: redhat-RHSA-2014-0127.nasl - Type: ACT_GATHER_INFO |
| 2014-02-04 | Name: The remote Oracle Linux host is missing one or more security updates. File: oraclelinux_ELSA-2014-0127.nasl - Type: ACT_GATHER_INFO |
| 2014-01-20 | Name: The remote Mandriva Linux host is missing one or more security updates. File: mandriva_MDVSA-2014-009.nasl - Type: ACT_GATHER_INFO |
| 2013-07-12 | Name: The remote Oracle Linux host is missing one or more security updates. File: oraclelinux_ELSA-2011-1289.nasl - Type: ACT_GATHER_INFO |
| 2012-08-01 | Name: The remote Scientific Linux host is missing one or more security updates. File: sl_20110913_librsvg2_on_SL6_x.nasl - Type: ACT_GATHER_INFO |
| 2011-12-13 | Name: The remote SuSE 11 host is missing one or more security updates. File: suse_11_librsvg-110920.nasl - Type: ACT_GATHER_INFO |
| 2011-09-20 | Name: The remote Fedora host is missing a security update. File: fedora_2011-12301.nasl - Type: ACT_GATHER_INFO |
