Improper Restriction of External Entities (XXE) Vulnerability
CVE-2021-3902

9.8CRITICAL

Key Information:

Vendor: DomPDF
Status: DomPDF/domPDF
Vendor: CVE Published:; 15 November 2024

What is CVE-2021-3902?

An issue exists in the SVG parser of dompdf, where improper restrictions on external entities can lead to Server-Side Request Forgery (SSRF) and deserialization attacks. This vulnerability allows attackers to exploit the system irrespective of the isRemoteEnabled option being set to false. It may result in the disclosure of internal image files and enable PHAR deserialization attacks, posing significant risks to the integrity of the application and its data.

Affected Version(s)

dompdf/dompdf < 2.0.0

References

https://huntr.com/bounties/a6071c07-806f-429a-8656-a4742e...

https://github.com/dompdf/dompdf/commit/f56bc8e40be6c0ae0...

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 15, 2024
Vulnerability Reserved
Oct 24, 2021

DomPDF

What is CVE-2021-3902?

Affected Version(s)

References

CVSS V3.1

Timeline