Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[GHSA-97m3-52wr-xvv2] Dompdf's usage of vulnerable version of phenx/php-svg-lib leads to restriction bypass and potential RCE #3648

Merged
merged 1 commit into from Feb 23, 2024
Merged

[GHSA-97m3-52wr-xvv2] Dompdf's usage of vulnerable version of phenx/php-svg-lib leads to restriction bypass and potential RCE #3648

merged 1 commit into from Feb 23, 2024

Conversation

bsweeney
Copy link

Updates

  • Affected products

Comments
This advisory was informational for Dompdf users because of a vulnerability in a tight dependency (php-svg-lib) where Dompdf exposes a larger attack surface. Any version of Dompdf is no longer vulnerable once php-svg-lib is updated to the latest release.

@github
Copy link
Collaborator

github commented Feb 23, 2024

Hi there @Blaklis and @bsweeney! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository.

This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory

@github-actions github-actions bot changed the base branch from main to bsweeney/advisory-improvement-3648 February 23, 2024 12:56
@bsweeney bsweeney mentioned this pull request Feb 23, 2024
Merged
@ohader
Copy link

ohader commented Feb 23, 2024

See comment by @bsweeney at dompdf/dompdf#3393 (comment)

@darakian @taladrane Could you please prioritize processing this change? It seems to cause some trouble in the dompdf/dompdf community currently. Thanks in advance for your support! ❤️

@bsweeney
Copy link
Author

Note that this duplicates #3647.

@bsweeney
Copy link
Author

Any way to make adjustments prior to merge? I just noticed that the CWEs are no longer present.

@advisory-database advisory-database bot merged commit 7f5dcf7 into bsweeney/advisory-improvement-3648 Feb 23, 2024
2 checks passed
@advisory-database advisory-database bot deleted the bsweeney-GHSA-97m3-52wr-xvv2 branch February 23, 2024 15:27
@advisory-database
Copy link
Contributor

Hi @bsweeney! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!

@darakian
Copy link
Contributor

Any way to make adjustments prior to merge? I just noticed that the CWEs are no longer present.

That's odd. We have them on our backend. Let me ask around if there's something going wrong in the pipeworks.

@bsweeney
Copy link
Author

That's odd. We have them on our backend. Let me ask around if there's something going wrong in the pipeworks.

Maybe so. I submitted an update to add them back and noticed that the change didn't actually modify that field in the JSON because the CWE info was still there. 🤷

Thanks so much for your support.

@darakian
Copy link
Contributor

Np. Turns out it was a pipeworks problem and a fix is in. You should see the CWEs on the web view now :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@bsweeney @github @ohader @darakian