CVE-2022-41343

NameCVE-2022-41343
DescriptionregisterFont in FontMetrics.php in Dompdf before 2.0.1 allows remote file inclusion because a URI validation failure does not halt font registration, as demonstrated by a @font-face rule.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
php-dompdf (PTS)buster0.6.2+dfsg-3fixed
buster (security)0.6.2+dfsg-3+deb10u2fixed
bullseye0.6.2+dfsg-3.1fixed
bookworm2.0.3+dfsg-1fixed
trixie, sid2.0.7+dfsg-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
php-dompdfsource(unstable)(not affected)

Notes

- php-dompdf <not-affected> (Vulnerable code introduced later)
https://github.com/dompdf/dompdf/issues/2994
https://github.com/dompdf/dompdf/pull/2995
https://github.com/dompdf/dompdf/releases/tag/v2.0.1
https://tantosec.com/blog/cve-2022-41343/

Search for package or bug name: Reporting problems