Vulnerability Details : CVE-2022-41343
Potential exploit
registerFont in FontMetrics.php in Dompdf before 2.0.1 allows remote file inclusion because a URI validation failure does not halt font registration, as demonstrated by a @font-face rule.
Vulnerability category: File inclusion
Products affected by CVE-2022-41343
- cpe:2.3:a:dompdf_project:dompdf:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-41343
0.34%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 71 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-41343
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2022-41343
-
The product makes files or directories accessible to unauthorized actors, even though they should not be.Assigned by: nvd@nist.gov (Primary)
References for CVE-2022-41343
-
https://github.com/dompdf/dompdf/releases/tag/v2.0.1
Release Dompdf 2.0.1 · dompdf/dompdf · GitHubRelease Notes;Third Party Advisory
-
https://github.com/dompdf/dompdf/pull/2995
Halt font registration when URL fails validation by bsweeney · Pull Request #2995 · dompdf/dompdf · GitHubPatch;Third Party Advisory
-
https://tantosec.com/blog/cve-2022-41343/
CVE-2022-41343 - RCE via Phar DeserialisationExploit;Third Party Advisory
-
https://github.com/dompdf/dompdf/issues/2994
URI validation failure does not halt font registration · Issue #2994 · dompdf/dompdf · GitHubExploit;Issue Tracking;Patch;Third Party Advisory
Jump to