Описание
A flaw was found in CairoSVG, an SVG converter. A remote attacker could exploit this vulnerability by submitting a specially crafted SVG file that contains recursive <use> elements. This can lead to an exponential increase in processing time and CPU exhaustion, resulting in a Denial of Service (DoS) for the system.
Отчет
This is an IMPORTANT denial of service vulnerability in CairoSVG, affecting systems that process untrusted SVG input. The flaw allows an attacker to trigger exponential CPU exhaustion through recursive <use> element amplification. Red Hat products that include python-cairosvg and process untrusted SVG content are affected.
Меры по смягчению последствий
To mitigate this issue, avoid processing untrusted SVG files with CairoSVG. If processing untrusted SVG content is unavoidable, consider isolating the CairoSVG processing within a sandboxed environment to limit potential resource exhaustion.
Дополнительная информация
Статус:
EPSS
7.5 High
CVSS3
Связанные уязвимости
CairoSVG is an SVG converter based on Cairo, a 2D graphics library. Prior to Kozea/CairoSVG has exponential denial of service via recursive <use> element amplification in cairosvg/defs.py. This causes CPU exhaustion from a small input.
CairoSVG is an SVG converter based on Cairo, a 2D graphics library. Prior to Kozea/CairoSVG has exponential denial of service via recursive <use> element amplification in cairosvg/defs.py. This causes CPU exhaustion from a small input.
CairoSVG is an SVG converter based on Cairo, a 2D graphics library. Pr ...
CairoSVG vulnerable to Exponential DoS via recursive <use> element amplification
EPSS
7.5 High
CVSS3