CVE-2023-23924

Name	CVE-2023-23924
Description	Dompdf is an HTML to PDF converter. The URI validation on dompdf 2.0.1 can be bypassed on SVG parsing by passing `<image>` tags with uppercase letters. This may lead to arbitrary object unserialize on PHP < 8, through the `phar` URL wrapper. An attacker can exploit the vulnerability to call arbitrary URL with arbitrary protocols, if they can provide a SVG file to dompdf. In PHP versions before 8.0.0, it leads to arbitrary unserialize, that will lead to the very least to an arbitrary file deletion and even remote code execution, depending on classes that are available.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
php-dompdf (PTS)	buster	0.6.2+dfsg-3	fixed
	buster (security)	0.6.2+dfsg-3+deb10u2	fixed
	bullseye	0.6.2+dfsg-3.1	fixed
	bookworm	2.0.3+dfsg-1	fixed
	sid, trixie	2.0.7+dfsg-1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
php-dompdf	source	(unstable)	(not affected)

Notes

- php-dompdf <not-affected> (Vulnerable code not in any Debian released version)
https://github.com/dompdf/dompdf/security/advisories/GHSA-3cw5-7cxw-v5qg
https://github.com/dompdf/dompdf/commit/7558f07f693b2ac3266089f21051e6b78c6a0c85 (v2.0.2)