CVE-2019-20446

Опубликовано: 02 фев. 2020

Источник: nvd

CVSS3: 6.5

CVSS2: 4.3

EPSS Низкий

Описание

In xml.rs in GNOME librsvg before 2.46.2, a crafted SVG file with nested patterns can cause denial of service when passed to the library for processing. The attacker constructs pattern elements so that the number of final rendered objects grows exponentially.

Ссылки

http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00024.html
Mailing List
Third Party Advisory
https://gitlab.gnome.org/GNOME/librsvg/issues/515
Vendor Advisory
https://lists.debian.org/debian-lts-announce/2020/07/msg00016.html
Mailing List
Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6IOHSO6BUKC6I66J5PZOMAGFVJ66ZS57/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X3B5RWJQD5LA45MYLLR55KZJOJ5NVZGP/
https://security.netapp.com/advisory/ntap-20221111-0004/
Third Party Advisory
https://usn.ubuntu.com/4436-1/
Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00024.html
Mailing List
Third Party Advisory
https://gitlab.gnome.org/GNOME/librsvg/issues/515
Vendor Advisory
https://lists.debian.org/debian-lts-announce/2020/07/msg00016.html
Mailing List
Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6IOHSO6BUKC6I66J5PZOMAGFVJ66ZS57/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X3B5RWJQD5LA45MYLLR55KZJOJ5NVZGP/
https://security.netapp.com/advisory/ntap-20221111-0004/
Third Party Advisory
https://usn.ubuntu.com/4436-1/
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:gnome:librsvg:*:*:*:*:*:*:*:*

Версия до 2.40.21 (исключая)

cpe:2.3:a:gnome:librsvg:*:*:*:*:*:*:*:*

Версия от 2.42.0 (включая) до 2.42.8 (исключая)

cpe:2.3:a:gnome:librsvg:*:*:*:*:*:*:*:*

Версия от 2.44.0 (включая) до 2.44.16 (исключая)

Конфигурация 2

cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*

Конфигурация 3

Одно из

cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*

cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*

Конфигурация 4

cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*

Конфигурация 5

Одно из

cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*

cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*

Конфигурация 6

cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*

EPSS

Процентиль: 80%

0.01495

Низкий

6.5 Medium

CVSS3

4.3 Medium

CVSS2

Дефекты

CWE-400

Связанные уязвимости

CVE-2019-20446

CVSS3: 6.5

ubuntu

больше 5 лет назад

CVE-2019-20446

CVSS3: 6.5

redhat

больше 5 лет назад

CVE-2019-20446

CVSS3: 6.5

debian

больше 5 лет назад

In xml.rs in GNOME librsvg before 2.46.2, a crafted SVG file with nest ...

openSUSE-SU-2020:0343-1

suse-cvrf

больше 5 лет назад

Security update for librsvg

SUSE-SU-2020:0629-2

suse-cvrf

почти 5 лет назад

Security update for librsvg

EPSS

Процентиль: 80%

0.01495

Низкий

6.5 Medium

CVSS3

4.3 Medium

CVSS2

Дефекты

CWE-400