CVE-2023-23924

NameCVE-2023-23924
DescriptionDompdf is an HTML to PDF converter. The URI validation on dompdf 2.0.1 can be bypassed on SVG parsing by passing `<image>` tags with uppercase letters. This may lead to arbitrary object unserialize on PHP < 8, through the `phar` URL wrapper. An attacker can exploit the vulnerability to call arbitrary URL with arbitrary protocols, if they can provide a SVG file to dompdf. In PHP versions before 8.0.0, it leads to arbitrary unserialize, that will lead to the very least to an arbitrary file deletion and even remote code execution, depending on classes that are available.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
php-dompdf (PTS)bullseye0.6.2+dfsg-3.1fixed
bookworm2.0.3+dfsg-1fixed
sid, trixie3.0.0+dfsg-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
php-dompdfsource(unstable)(not affected)

Notes

- php-dompdf <not-affected> (Vulnerable code not in any Debian released version)
https://github.com/dompdf/dompdf/security/advisories/GHSA-3cw5-7cxw-v5qg
https://github.com/dompdf/dompdf/commit/7558f07f693b2ac3266089f21051e6b78c6a0c85 (v2.0.2)
Search for package or bug name: Reporting problems