Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS01NzdwLTdqN2gtMmpnZs4ABBYY
Deserialization of Untrusted Data in dompdf/dompdf
DomPDF before version 2.0.0 is vulnerable to PHAR (PHP Archive) deserialization due to a lack of checking on the protocol before passing it into the file_get_contents() function. An attacker who can upload files of any type to the server can pass in the phar:// protocol to unserialize the uploaded file and instantiate arbitrary PHP objects. This can lead to remote code execution, especially when DOMPdf is used with frameworks with documented POP chains like Laravel or vulnerable developer code.
Permalink: https://github.com/advisories/GHSA-577p-7j7h-2jgfJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS01NzdwLTdqN2gtMmpnZs4ABBYY
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: 6 days ago
Updated: 2 days ago
CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-577p-7j7h-2jgf, CVE-2021-3838
References:
- https://nvd.nist.gov/vuln/detail/CVE-2021-3838
- https://github.com/dompdf/dompdf/commit/99aeec1efec9213e87098d42eb09439e7ee0bb6a
- https://huntr.com/bounties/0bdddc12-ff67-4815-ab9f-6011a974f48e
- https://github.com/advisories/GHSA-577p-7j7h-2jgf
Blast Radius: 42.6
Affected Packages
packagist:dompdf/dompdf
Dependent packages: 555Dependent repositories: 22,012
Downloads: 112,987,439 total
Affected Version Ranges: < 2.0.0
Fixed in: 2.0.0
All affected versions: 0.6.0, 0.6.1, 0.6.2, 0.7.0, 0.8.0, 0.8.1, 0.8.2, 0.8.3, 0.8.4, 0.8.5, 0.8.6, 1.0.0, 1.0.1, 1.0.2, 1.1.0, 1.1.1, 1.2.0, 1.2.1, 1.2.2
All unaffected versions: 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.7, 2.0.8, 3.0.0