CVE-2023-27586: CairoSVG improperly processes SVG files loaded from external resources

Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2023-27586

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title

CairoSVG improperly processes SVG files loaded from external resources

Source: NVD (National Vulnerability Database)

Vulnerability Description

CairoSVG is an SVG converter based on Cairo, a 2D graphics library. Prior to version 2.7.0, Cairo can send requests to external hosts when processing SVG files. A malicious actor could send a specially crafted SVG file that allows them to perform a server-side request forgery or denial of service. Version 2.7.0 disables CairoSVG's ability to access other files online by default.

Source: NVD (National Vulnerability Database)

CVSS Information

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:L

Source: NVD (National Vulnerability Database)

Vulnerability Type

输入验证不恰当

Source: NVD (National Vulnerability Database)

Vulnerability Title

Kozea CairoSVG 代码问题漏洞

Source: CNNVD (China National Vulnerability Database)

Vulnerability Description

Kozea CairoSVG是Kozea社区的一个基于Python可将SVG文件转换为为PDF，EPS，PS和PNG文件的软件。 Kozea CairoSVG 2.7.0之前版本存在代码问题漏洞，该漏洞源于Cairo 在处理 SVG 文件时可以向外部主机发送请求。攻击者可以利用该漏洞发送特制的 SVG 文件，执行服务器端请求伪造或拒绝服务。

Source: CNNVD (China National Vulnerability Database)

CVSS Information

N/A

Source: CNNVD (China National Vulnerability Database)

Vulnerability Type

N/A

Source: CNNVD (China National Vulnerability Database)

Affected Products

Vendor	Product	Affected Versions	CPE	Subscribe
Kozea	CairoSVG	< 2.7.0	-

II. Public POCs for CVE-2023-27586

#	POC Description	Source Link	Shenlong Link

AI-Generated POCPremium

No public POC found.

III. Intelligence Information for CVE-2023-27586

Please Login to view more intelligence information

https://github.com/Kozea/CairoSVG/releases/tag/2.7.0x_refsource_MISC
https://github.com/Kozea/CairoSVG/security/advisories/GHSA-rwmf-w63j-p7gvx_refsource_CONFIRM
https://github.com/Kozea/CairoSVG/commit/12d31c653c0254fa9d9853f66b04ea46e7397255x_refsource_MISC
https://github.com/Kozea/CairoSVG/commit/33007d4af9195e2bfb2ff9af064c4c2d8e4b2b53x_refsource_MISC
https://nvd.nist.gov/vuln/detail/CVE-2023-27586

IV. Related Vulnerabilities

Same product: CairoSVG

Same vendor: Kozea

Same weakness: CWE-20

V. Comments for CVE-2023-27586

No comments yet

Goal Reached Thanks to every supporter — we hit 100%!

I. Basic Information for CVE-2023-27586

Vulnerability Information

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Affected Products

II. Public POCs for CVE-2023-27586

III. Intelligence Information for CVE-2023-27586

IV. Related Vulnerabilities

V. Comments for CVE-2023-27586

Leave a comment