CVE-2021-3902

NameCVE-2021-3902
DescriptionAn improper restriction of external entities (XXE) vulnerability in dompdf/dompdf's SVG parser allows for Server-Side Request Forgery (SSRF) and deserialization attacks. This issue affects all versions prior to 2.0.0. The vulnerability can be exploited even if the isRemoteEnabled option is set to false. It allows attackers to perform SSRF, disclose internal image files, and cause PHAR deserialization attacks.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
php-dompdf (PTS)bullseye0.6.2+dfsg-3.1fixed
bookworm2.0.3+dfsg-1fixed
sid3.1.0+dfsg-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
php-dompdfsourcebuster(not affected)
php-dompdfsourcebullseye(not affected)
php-dompdfsource(unstable)2.0.2+dfsg-1

Notes

[bullseye] - php-dompdf <not-affected> (current code reject svg image. Double checked by testing)
[buster] - php-dompdf <not-affected> (current code reject svg image. Double checked by testing)
https://github.com/dompdf/dompdf/issues/2564
https://huntr.dev/bounties/a6071c07-806f-429a-8656-a4742e4191b1
https://github.com/dompdf/dompdf/commit/f56bc8e40be6c0ae0825e6c7396f4db80620b799 (v2.0.0)
Search for package or bug name: Reporting problems