CVE-2023-27586

Name
CVE-2023-27586
Description
CairoSVG is an SVG converter based on Cairo, a 2D graphics library. Prior to version 2.7.0, Cairo can send requests to external hosts when processing SVG files. A malicious actor could send a specially crafted SVG file that allows them to perform a server-side request forgery or denial of service. Version 2.7.0 disables CairoSVG's ability to access other files online by default.
NVD Severity
medium
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
MISC https://github.com/Kozea/CairoSVG/releases/tag/2.7.0
MISC https://github.com/Kozea/CairoSVG/security/advisories/GHSA-rwmf-w63j-p7gv
MISC https://github.com/Kozea/CairoSVG/commit/12d31c653c0254fa9d9853f66b04ea46e7397255
MISC https://github.com/Kozea/CairoSVG/commit/33007d4af9195e2bfb2ff9af064c4c2d8e4b2b53

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:courtbouillon:cairosvg:*:*:*:*:*:*:*:* cairosvg >= None < 2.7.0

Vulnerable and fixed packages

Source package Branch Version Maintainer Status