Unrated severityNVD Advisory· Published Jul 22, 2023· Updated Aug 2, 2024

CVE-2023-38633

Description

A directory traversal problem in the URL decoder of librsvg before 2.56.3 could be used by local or remote attackers to disclose files (on the local filesystem outside of the expected area), as demonstrated by href=".?../../../../../../../../../../etc/passwd" in an xi:include element.

Affected products

librsvg/librsvgdescription
osv-coords26 versions
pkg:rpm/almalinux/librsvg2 pkg:rpm/almalinux/librsvg2-devel pkg:rpm/almalinux/librsvg2-tools pkg:rpm/opensuse/librsvg&distro=openSUSE%20Leap%2015.4 pkg:rpm/opensuse/librsvg&distro=openSUSE%20Leap%2015.5 pkg:rpm/opensuse/librsvg&distro=openSUSE%20Leap%20Micro%205.3 pkg:rpm/opensuse/librsvg&distro=openSUSE%20Leap%20Micro%205.4 pkg:rpm/suse/librsvg&distro=SUSE%20Enterprise%20Storage%207 pkg:rpm/suse/librsvg&distro=SUSE%20Enterprise%20Storage%207.1 pkg:rpm/suse/librsvg&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSS pkg:rpm/suse/librsvg&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-ESPOS pkg:rpm/suse/librsvg&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-LTSS pkg:rpm/suse/librsvg&distro=SUSE%20Linux%20Enterprise%20Micro%205.2 pkg:rpm/suse/librsvg&distro=SUSE%20Linux%20Enterprise%20Micro%205.3 pkg:rpm/suse/librsvg&distro=SUSE%20Linux%20Enterprise%20Micro%205.4 pkg:rpm/suse/librsvg&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP4 pkg:rpm/suse/librsvg&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP5 pkg:rpm/suse/librsvg&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP4 pkg:rpm/suse/librsvg&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP5 pkg:rpm/suse/librsvg&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP5 pkg:rpm/suse/librsvg&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-LTSS pkg:rpm/suse/librsvg&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP3-LTSS pkg:rpm/suse/librsvg&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP2 pkg:rpm/suse/librsvg&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP3 pkg:rpm/suse/librsvg&distro=SUSE%20Manager%20Proxy%204.2 pkg:rpm/suse/librsvg&distro=SUSE%20Manager%20Server%204.2
< 2.50.7-1.el9_2.1+ 25 more
- (no CPE)range: < 2.50.7-1.el9_2.1
- (no CPE)range: < 2.50.7-1.el9_2.1
- (no CPE)range: < 2.50.7-1.el9_2.1
- (no CPE)range: < 2.52.10-150400.3.6.1
- (no CPE)range: < 2.52.10-150400.3.6.1
- (no CPE)range: < 2.52.10-150400.3.6.1
- (no CPE)range: < 2.52.10-150400.3.6.1
- (no CPE)range: < 2.46.7-150200.3.9.1
- (no CPE)range: < 2.46.7-150200.3.9.1
- (no CPE)range: < 2.46.7-150200.3.9.1
- (no CPE)range: < 2.46.7-150200.3.9.1
- (no CPE)range: < 2.46.7-150200.3.9.1
- (no CPE)range: < 2.46.7-150200.3.9.1
- (no CPE)range: < 2.52.10-150400.3.6.1
- (no CPE)range: < 2.52.10-150400.3.6.1
- (no CPE)range: < 2.52.10-150400.3.6.1
- (no CPE)range: < 2.52.10-150400.3.6.1
- (no CPE)range: < 2.52.10-150400.3.6.1
- (no CPE)range: < 2.52.10-150400.3.6.1
- (no CPE)range: < 2.52.10-150400.3.6.1
- (no CPE)range: < 2.46.7-150200.3.9.1
- (no CPE)range: < 2.46.7-150200.3.9.1
- (no CPE)range: < 2.46.7-150200.3.9.1
- (no CPE)range: < 2.46.7-150200.3.9.1
- (no CPE)range: < 2.46.7-150200.3.9.1
- (no CPE)range: < 2.46.7-150200.3.9.1

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/422NTIHIEBRASIG2DWXYBH4ADYMHY626/mitrevendor-advisory
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R5BCXT5GW6RCL45ZUHUZR4CJG2BAFDVC/mitrevendor-advisory
www.debian.org/security/2023/dsa-5484mitrevendor-advisory
seclists.org/fulldisclosure/2023/Jul/43mitremailing-list
www.openwall.com/lists/oss-security/2023/07/27/1mitremailing-list
www.openwall.com/lists/oss-security/2023/09/06/10mitremailing-list
bugzilla.suse.com/show_bug.cgimitre
gitlab.gnome.org/GNOME/librsvg/-/issues/996mitre
gitlab.gnome.org/GNOME/librsvg/-/releases/2.56.3mitre
news.ycombinator.com/itemmitre
security.netapp.com/advisory/ntap-20230831-0011/mitre
www.canva.dev/blog/engineering/when-url-parsers-disagree-cve-2023-38633/mitre

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.035
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000