GHSA-qr6q-w4gj-3865
Suggest an improvement- Source
- https://github.com/advisories/GHSA-qr6q-w4gj-3865
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-qr6q-w4gj-3865/GHSA-qr6q-w4gj-3865.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-qr6q-w4gj-3865
- Aliases
- Published
- 2022-05-14T02:53:19Z
- Modified
- 2024-12-08T05:33:39.406584Z
- Summary
- DOMPDF Arbitrary File Read
- Details
-
dompdf.php in dompdf before 0.6.1, when
DOMPDF_ENABLE_PHPis enabled, allows context-dependent attackers to bypass chroot protections and read arbitrary files via a PHP protocol and wrappers in the inputfile parameter, as demonstrated by aphp://filter/read=convert.base64-encode/resourcein the inputfile parameter. - Database specific
{ "nvd_published_at": "2014-04-28T14:09:00Z", "cwe_ids": [ "CWE-200" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2024-04-25T23:00:25Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2014-2383
- https://github.com/dompdf/dompdf/commit/23a693993299e669306929e3d49a4a1f7b3fb028
- https://github.com/FriendsOfPHP/security-advisories/blob/master/dompdf/dompdf/CVE-2014-2383.yaml
- https://github.com/dompdf/dompdf
- https://web.archive.org/web/20151215023329/http://www.securityfocus.com/archive/1/531912/100/0/threaded
- http://seclists.org/fulldisclosure/2014/Apr/258
Affected packages
Packagist / dompdf/dompdf
Package
- Name
- dompdf/dompdf
- Purl
- pkg:composer/dompdf/dompdf