GHSA-6x28-7h8c-chx4

Source

https://github.com/advisories/GHSA-6x28-7h8c-chx4

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-6x28-7h8c-chx4/GHSA-6x28-7h8c-chx4.json

Aliases

CVE-2022-41343

Published

2022-09-26T00:00:23Z

Modified

2024-02-16T08:17:53.612867Z

Details

registerFont in FontMetrics.php in Dompdf before 2.0.1 allows remote file inclusion because a URI validation failure does not halt font registration, as demonstrated by a @font-face rule.

References

https://nvd.nist.gov/vuln/detail/CVE-2022-41343
https://github.com/dompdf/dompdf/issues/2994
https://github.com/dompdf/dompdf/pull/2995
https://github.com/dompdf/dompdf/commit/66431c58017d5b1bdb9f6f772b9fbbc5e3d38dc2
https://github.com/FriendsOfPHP/security-advisories/blob/master/dompdf/dompdf/CVE-2022-41343.yaml
https://github.com/advisories/GHSA-6x28-7h8c-chx4
https://github.com/dompdf/dompdf
https://github.com/dompdf/dompdf/releases/tag/v2.0.1
https://tantosec.com/blog/cve-2022-41343

Affected packages

Packagist / dompdf/dompdf

Package

Name: dompdf/dompdf

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0The exact introduced commit is unknown

Fixed

2.0.1

Affected versions

v0.*

v0.6.0

v0.6.1

v0.6.2

v0.7.0-beta

v0.7.0-beta2

v0.7.0-beta3

v0.7.0

v0.8.0

v0.8.1

v0.8.2

v0.8.3

v0.8.4

v0.8.5

v0.8.6

v1.*

v1.0.0

v1.0.1

v1.0.2

v1.1.0

v1.1.1

v1.2.0

v1.2.1

v1.2.2

v2.*

v2.0.0