CVE-2022-41343

NameCVE-2022-41343
DescriptionregisterFont in FontMetrics.php in Dompdf before 2.0.1 allows remote file inclusion because a URI validation failure does not halt font registration, as demonstrated by a @font-face rule.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
php-dompdf (PTS)buster0.6.2+dfsg-3fixed
bullseye0.6.2+dfsg-3.1fixed
sid0.6.2+dfsg-4fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
php-dompdfsource(unstable)(not affected)

Notes

- php-dompdf <not-affected> (Vulnerable code introduced later)
https://github.com/dompdf/dompdf/issues/2994
https://github.com/dompdf/dompdf/pull/2995
https://github.com/dompdf/dompdf/releases/tag/v2.0.1
https://tantosec.com/blog/cve-2022-41343/

Search for package or bug name: Reporting problems