Kozea CairoSVG 代码问题漏洞

admin

0
文章

0
评论

2023-11-30 03:01:18 Ali_nvd 来源：ZONE.CI 全球网 0 阅读模式

中危 Kozea CairoSVG 代码问题漏洞

CVE编号

CVE-2023-27586

利用情况

暂无

补丁情况

官方补丁

披露时间

2023-03-21

漏洞描述

CairoSVG is an SVG converter based on Cairo, a 2D graphics library. Prior to version 2.7.0, Cairo can send requests to external hosts when processing SVG files. A malicious actor could send a specially crafted SVG file that allows them to perform a server-side request forgery or denial of service. Version 2.7.0 disables CairoSVG's ability to access other files online by default.

解决建议

"将组件 cairosvg 升级至 2.7.0 及以上版本"

参考链接
https://github.com/Kozea/CairoSVG/commit/12d31c653c0254fa9d9853f66b04ea46e7397255
https://github.com/Kozea/CairoSVG/commit/33007d4af9195e2bfb2ff9af064c4c2d8e4b2b53
https://github.com/Kozea/CairoSVG/releases/tag/2.7.0
https://github.com/Kozea/CairoSVG/security/advisories/GHSA-rwmf-w63j-p7gv

受影响软件情况

1
#	类型	厂商	产品	版本	影响面
	运行在以下环境
	应用	courtbouillon	cairosvg	*		Up to (excluding) 2.7.0
	运行在以下环境
	系统	alpine_3.18	py3-cairosvg	*		Up to (excluding) 2.7.0-r0
	运行在以下环境
	系统	alpine_edge	py3-cairosvg	*		Up to (excluding) 2.7.0-r0
	运行在以下环境
	系统	debian_10	cairosvg	*		Up to (including) 1.0.20-1
	运行在以下环境
	系统	debian_11	cairosvg	*		Up to (excluding) 2.5.0-1.1+deb11u1
	运行在以下环境
	系统	debian_12	cairosvg	*		Up to (excluding) 2.5.2-1.1
	运行在以下环境
	系统	debian_sid	cairosvg	*		Up to (excluding) 2.5.2-1.1
	运行在以下环境
	系统	fedora_36	python-cairosvg	*		Up to (excluding) 2.7.0-1.fc36
	运行在以下环境
	系统	fedora_37	python-cairosvg	*		Up to (excluding) 2.7.0-1.fc37
	运行在以下环境
	系统	fedora_38	python-cairosvg	*		Up to (excluding) 2.7.0-1.fc38
	运行在以下环境
	系统	fedora_EPEL_8	python3-cairosvg	*		Up to (excluding) 2.7.0-1.el8
	运行在以下环境
	系统	fedora_EPEL_9	python-cairosvg	*		Up to (excluding) 2.7.0-1.el9
	运行在以下环境
	系统	opensuse_Leap_15.4	python3-CairoSVG	*		Up to (excluding) 2.5.2-bp154.2.3.1
	运行在以下环境
	系统	opensuse_Leap_15.5	python3-CairoSVG	*		Up to (excluding) 2.5.2-bp155.3.3.1