CVE-2021-3838 (Critical) detected in dompdf/dompdf-v1.0.2 #81
Labels
Mend: dependency security vulnerability
Security vulnerability detected by WhiteSource
Comments
mend-bolt-for-github
bot
added
the
Mend: dependency security vulnerability
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
CVE-2021-3838 - Critical Severity Vulnerability
DOMPDF is a CSS 2.1 compliant HTML to PDF converter
Library home page: https://api.github.com/repos/dompdf/dompdf/zipball/8768448244967a46d6e67b891d30878e0e15d25c
Dependency Hierarchy:
Found in HEAD commit: 928b87c3f458bb28df552e1c49bfeb1231a16bcf
Found in base branch: main
DomPDF prior to 2.0.0 is vulnerable to PHAR deserialization due to a lack of checking on the protocol before passing it into the file_get_contents() function. If an attacker can upload files of any type to the server he can pass in the phar:// protocol to unserialize the uploaded file and instantiate arbitrary PHP objects. This can lead to remote code execution especially when DOMPdf is used with frameworks with documented POP chains like Laravel / vulnerable developer code.
Publish Date: 2021-09-29
URL: CVE-2021-3838
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: https://huntr.dev/bounties/0bdddc12-ff67-4815-ab9f-6011a974f48e/
Release Date: 2021-09-29
Fix Resolution: v2.0.0
Step up your Open Source Security Game with Mend here
The text was updated successfully, but these errors were encountered: