Improper Input Validation in GNOME librsvg Allows Remote Attackers to Gain Sensitive Information
CVE-2018-1000041

8.8HIGH

Key Information:

Vendor
Gnome
Status
Librsvg
Vendor
CVE Published:
9 February 2018

Summary

GNOME librsvg contains an improper input validation issue within rsvg-io.c that may expose sensitive information to remote attackers. When victims process a maliciously crafted SVG file that includes a UNC path on Windows, their Windows username and NTLM password hash can be leaked through SMB. This vulnerability highlights the importance of secure handling of input files and calls for immediate attention to mitigate potential exploits.

References

https://github.com/ImageMagick/librsvg/commit/f9d69eadd2b...
x_refsource_CONFIRM
https://github.com/GNOME/librsvg/commit/c6ddf2ed4d768fd88...
x_refsource_CONFIRM
https://lists.debian.org/debian-lts-announce/2018/02/msg0...
mailing-listx_refsource_MLIST

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2018-1000041 : Improper Input Validation in GNOME librsvg Allows Remote Attackers to Gain Sensitive Information | SecurityVulnerability.io