CVE-2022-41343

Source

https://nvd.nist.gov/vuln/detail/CVE-2022-41343

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-41343.json

Aliases

GHSA-6x28-7h8c-chx4

Published

2022-09-25T19:15:09Z

Modified

2023-11-29T09:51:20.556585Z

Details

registerFont in FontMetrics.php in Dompdf before 2.0.1 allows remote file inclusion because a URI validation failure does not halt font registration, as demonstrated by a @font-face rule.

References

https://tantosec.com/blog/cve-2022-41343/
https://github.com/dompdf/dompdf/issues/2994
https://github.com/dompdf/dompdf/pull/2995
https://github.com/dompdf/dompdf/releases/tag/v2.0.1

Affected packages

Git / github.com/dompdf/dompdf

Affected ranges

Type: GIT
Repo: https://github.com/dompdf/dompdf
Events: Introduced

0The exact introduced commit is unknown

Fixed

c5310df0e22c758c85ea5288175fc6cd777bc085

Affected versions

v0.*

v0.6.0

v0.6.0-b3

v0.6.1

v0.6.2

v0.7.0

v0.7.0-beta

v0.7.0-beta2

v0.7.0-beta3

v0.8.0

v0.8.1

v0.8.2

v0.8.3

v0.8.4

v0.8.5

v0.8.6

v1.*

v1.0.0

v1.0.1

v1.0.2

v1.1.0

v1.1.1

v1.2.0

v1.2.1

v1.2.2

v2.*

v2.0.0