Multiple vulnerabilities in inkscape
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2012-6076 CVE-2012-5656 |
| CWE-ID | CWE-264 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
inkscape Other software / Other software solutions |
| Vendor | inkscape.org |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU43010
Risk: Medium
CVSSv3.1: 5.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2012-6076
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to read and manipulate data.
Inkscape before 0.48.4 reads .eps files from /tmp instead of the current directory, which might cause Inkspace to process unintended files, allow local users to obtain sensitive information, and possibly have other unspecified impacts.
MitigationInstall update from vendor's website.
Vulnerable software versionsinkscape: 0.37 - 0.48.3
CPE2.3
- cpe:2.3:a:inkscape.org:inkscape:0.37:*:*:*:*:*:*:*
- Full software list in CPE2.3 format available after registration.
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=654341
http://lists.opensuse.org/opensuse-updates/2013-02/msg00041.html
http://lists.opensuse.org/opensuse-updates/2013-02/msg00043.html
http://www.openwall.com/lists/oss-security/2012/12/30/2
http://www.ubuntu.com/usn/USN-1712-1
http://bugs.launchpad.net/inkscape/+bug/911146
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU43168
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2012-5656
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
The rasterization process in Inkscape before 0.48.4 allows local users to read arbitrary files via an external entity in a SVG file, aka an XML external entity (XXE) injection attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsinkscape: 0.37 - 0.48.3
CPE2.3
- cpe:2.3:a:inkscape.org:inkscape:0.37:*:*:*:*:*:*:*
- Full software list in CPE2.3 format available after registration.
http://bazaar.launchpad.net/~inkscape.dev/inkscape/trunk/revision/11931
http://lists.fedoraproject.org/pipermail/package-announce/2012-December/095024.html
http://lists.fedoraproject.org/pipermail/package-announce/2013-January/095380.html
http://lists.fedoraproject.org/pipermail/package-announce/2013-January/095398.html
http://lists.opensuse.org/opensuse-updates/2013-02/msg00041.html
http://lists.opensuse.org/opensuse-updates/2013-02/msg00043.html
http://www.openwall.com/lists/oss-security/2012/12/20/3
http://www.securityfocus.com/bid/56965
http://www.ubuntu.com/usn/USN-1712-1
http://bugs.launchpad.net/inkscape/+bug/1025185
http://launchpad.net/inkscape/+milestone/0.48.4
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
