CVE-2019-1000005

Source
https://nvd.nist.gov/vuln/detail/CVE-2019-1000005
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-1000005.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2019-1000005
Aliases
Published
2019-02-04T21:29:00Z
Modified
2025-01-14T06:46:13.743426Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

mPDF version 7.1.7 and earlier contains a CWE-502: Deserialization of Untrusted Data vulnerability in getImage() method of Image/ImageProcessor class that can result in Arbitry code execution, file write, etc.. This attack appears to be exploitable via attacker must host crafted image on victim server and trigger generation of pdf file with content <img src="phar://path/to/crafted/image">. This vulnerability appears to have been fixed in 7.1.8.

References

Affected packages

Git / github.com/mpdf/mpdf

Affected ranges

Type
GIT
Repo
https://github.com/mpdf/mpdf
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected

Affected versions

7.*

7.0.2

v5.*

v5.3.0
v5.4.0
v5.5.0
v5.5.1
v5.6.1
v5.7.0
v5.7.1
v5.7.2
v5.7.3
v5.7.3a
v5.7.4
v5.7.4a

v6.*

v6.0-beta
v6.0.0
v6.1.0
v6.1.1
v6.1.2
v6.1.3

v7.*

v7.0.0
v7.0.0-RC1
v7.0.0-RC2
v7.0.0-RC3
v7.0.0-RC4
v7.0.0-beta1
v7.0.0-beta2
v7.0.1
v7.0.3
v7.1.0
v7.1.1
v7.1.2
v7.1.3
v7.1.4
v7.1.5
v7.1.6
v7.1.7