CVE-2023-38633: in librsvg: Arbitrary file read when xinclude href has special characters
First published: Sat Jul 22 2023(Updated: )
A directory traversal problem in the URL decoder of librsvg before 2.56.3 could be used by local or remote attackers to disclose files (on the local filesystem outside of the expected area), as demonstrated by href=".?../../../../../../../../../../etc/passwd" in an xi:include element.
Credit: cve@mitre.org cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/librsvg | <=2.54.5+dfsg-3<=2.50.3+dfsg-1 | 2.54.7+dfsg-1 2.54.7+dfsg-1~deb12u1 2.50.3+dfsg-1+deb11u1 |
| GNOME librsvg | <2.46.6 | |
| GNOME librsvg | >=2.48.0<2.48.11 | |
| GNOME librsvg | >=2.50.0<2.50.8 | |
| GNOME librsvg | >=2.52.0<2.52.10 | |
| GNOME librsvg | >=2.54.0<2.54.6 | |
| GNOME librsvg | >=2.55.0<2.55.3 | |
| GNOME librsvg | >=2.56.0<2.56.3 | |
| Fedoraproject Fedora | =38 | |
| ubuntu/librsvg | <2.56.91<2.56.3<2.55.3<2.54.6<2.52.10<2.50.8<2.48.11<2.46.6 | 2.56.91 2.56.3 2.55.3 2.54.6 2.52.10 2.50.8 2.48.11 2.46.6 |
| ubuntu/librsvg | <2.48.9-1ubuntu0.20.04.4 | 2.48.9-1ubuntu0.20.04.4 |
| ubuntu/librsvg | <2.52.5+dfsg-3ubuntu0.2 | 2.52.5+dfsg-3ubuntu0.2 |
| ubuntu/librsvg | <2.54.5+dfsg-1ubuntu2.1 | 2.54.5+dfsg-1ubuntu2.1 |
| debian/librsvg | 2.44.10-2.1+deb10u3 2.50.3+dfsg-1+deb11u1 2.54.7+dfsg-1~deb12u1 2.54.7+dfsg-2 | |
| GNOME librsvg | >=2.42.3<2.46.6 | |
| Fedoraproject Fedora | =37 | |
| Debian Debian Linux | =11.0 | |
| Debian Debian Linux | =12.0 |
Remedy
https://gitlab.gnome.org/GNOME/librsvg/-/commit/8d2cb4be8714dfbf0914bdcf9df3b246516e7f83 (main)
Remedy
https://gitlab.gnome.org/GNOME/librsvg/-/commit/1ccb995f5a30c9abec77d2fe390a323a82dffd89 (2.55)
Remedy
https://gitlab.gnome.org/GNOME/librsvg/-/commit/15293f1243e1dd4756ffc1d13d5a8ea49167174f (2.54)
Remedy
https://gitlab.gnome.org/GNOME/librsvg/-/commit/f835dee461de1128e19f4b1e962bf5ceec66a0e8 (2.52)
Remedy
https://gitlab.gnome.org/GNOME/librsvg/-/commit/d1f066bf2198bd46c5ba80cb5123b768ec16e37d (2.50)
Remedy
https://gitlab.gnome.org/GNOME/librsvg/-/commit/25e2e0301d4ca120189e0fcdd3d01656d59bc2c6 (2.48)
Remedy
https://gitlab.gnome.org/GNOME/librsvg/-/commit/22bcb919c8b39133370c7fc0eb27176fb09aa4fb (2.46)
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://gitlab.gnome.org/GNOME/librsvg/-/issues/996
- https://security-tracker.debian.org/tracker/CVE-2023-38633
- https://www.cve.org/CVERecord?id=CVE-2023-38633
- https://salsa.debian.org/gnome-team/librsvg/-/merge_requests/18
- https://salsa.debian.org/gnome-team/librsvg/-/commit/910bc84280648f2e011a359230a83e4be06d41e0
- https://salsa.debian.org/gnome-team/librsvg/-/commit/49132e6ff06ecaa6521af956db10143142f78c1f
- https://salsa.debian.org/gnome-team/librsvg/-/merge_requests/20
- https://salsa.debian.org/gnome-team/librsvg/-/merge_requests/19
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1041810
- https://gitlab.gnome.org/GNOME/librsvg/-/releases/2.56.3
- https://bugzilla.suse.com/show_bug.cgi?id=1213502
- http://seclists.org/fulldisclosure/2023/Jul/43
- http://www.openwall.com/lists/oss-security/2023/07/27/1
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/R5BCXT5GW6RCL45ZUHUZR4CJG2BAFDVC/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/422NTIHIEBRASIG2DWXYBH4ADYMHY626/
- https://www.debian.org/security/2023/dsa-5484
- https://security.netapp.com/advisory/ntap-20230831-0011/
- http://www.openwall.com/lists/oss-security/2023/09/06/10
- https://news.ycombinator.com/item?id=37415799
- https://www.canva.dev/blog/engineering/when-url-parsers-disagree-cve-2023-38633/
- https://launchpad.net/bugs/cve/CVE-2023-38633
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/422NTIHIEBRASIG2DWXYBH4ADYMHY626/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R5BCXT5GW6RCL45ZUHUZR4CJG2BAFDVC/
- https://gitlab.gnome.org/GNOME/librsvg/-/issues/996#note_1806622
- https://access.redhat.com/errata/RHSA-2023:4809
- https://access.redhat.com/errata/RHSA-2023:5081
- https://bugzilla.redhat.com/show_bug.cgi?id=2224945
- https://gitlab.gnome.org/GNOME/librsvg/-/commit/15293f1243e1dd4756ffc1d13d5a8ea49167174f
- https://gitlab.gnome.org/GNOME/librsvg/-/commit/d1f066bf2198bd46c5ba80cb5123b768ec16e37d
- https://gitlab.gnome.org/GNOME/librsvg/-/commit/22bcb919c8b39133370c7fc0eb27176fb09aa4fb
- https://www.openwall.com/lists/oss-security/2023/07/27/1
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38633
- https://marc.info/?i=73b96607-5080-939c-d354-33da849d195d@oracle.com
- https://ubuntu.com/security/notices/USN-6266-1
- https://nvd.nist.gov/vuln/detail/CVE-2023-38633
- https://gitlab.gnome.org/GNOME/librsvg/-/commit/8d2cb4be8714dfbf0914bdcf9df3b246516e7f83 (main)
- https://gitlab.gnome.org/GNOME/librsvg/-/commit/1ccb995f5a30c9abec77d2fe390a323a82dffd89 (2.55)
- https://gitlab.gnome.org/GNOME/librsvg/-/commit/15293f1243e1dd4756ffc1d13d5a8ea49167174f (2.54)
- https://gitlab.gnome.org/GNOME/librsvg/-/commit/f835dee461de1128e19f4b1e962bf5ceec66a0e8 (2.52)
- https://gitlab.gnome.org/GNOME/librsvg/-/commit/d1f066bf2198bd46c5ba80cb5123b768ec16e37d (2.50)
- https://gitlab.gnome.org/GNOME/librsvg/-/commit/25e2e0301d4ca120189e0fcdd3d01656d59bc2c6 (2.48)
- https://gitlab.gnome.org/GNOME/librsvg/-/commit/22bcb919c8b39133370c7fc0eb27176fb09aa4fb (2.46)
- https://ubuntu.com/security/CVE-2023-38633
Frequently Asked Questions
What is CVE-2023-38633?
CVE-2023-38633 is a vulnerability in librsvg that allows for arbitrary file read when xinclude href has special characters.
How severe is CVE-2023-38633?
CVE-2023-38633 has a severity rating of 5.5/10, which is considered medium.
How can I exploit CVE-2023-38633?
CVE-2023-38633 can be exploited by using a directory traversal technique with specially crafted href in an xi:include element.
What is the affected software for CVE-2023-38633?
The affected software for CVE-2023-38633 includes versions of librsvg before 2.56.3.
How do I fix CVE-2023-38633?
To fix CVE-2023-38633, update to version 2.56.3 or later of librsvg.
- collector/oss-sec
- alias/CVE-2023-38633
- collector/nvd-latest
- collector/debian-bugs
- collector/nvd-index
- agent/type
- agent/first-publish-date
- collector/launchpad-cve
- source/Launchpad
- collector/redhat-bugzilla
- source/Red Hat
- collector/usn-cve
- source/Ubuntu
- agent/software-canonical-lookup
- collector/security-tracker-debian
- source/Debian
- agent/remedy
- agent/weakness
- agent/title
- agent/references
- agent/severity
- agent/author
- agent/event
- agent/last-modified-date
- agent/description
- agent/softwarecombine
- collector/nvd-cve
- source/NVD
- collector/nvd-api
- agent/software-canonical-lookup-request
- agent/tags
- collector/mitre-cve
- source/MITRE
- package-manager/debian
- vendor/gnome
- canonical/gnome librsvg
- version/gnome librsvg/2.48.0
- version/gnome librsvg/2.50.0
- version/gnome librsvg/2.52.0
- version/gnome librsvg/2.54.0
- version/gnome librsvg/2.55.0
- version/gnome librsvg/2.56.0
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/38
- package-manager/ubuntu
- version/gnome librsvg/2.42.3
- version/fedoraproject fedora/37
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/11.0
- version/debian debian linux/12.0