SB2023021613 - Remote code execution in Dompdf

Description

This security bulletin contains information about 1 security vulnerability.

1) Files or Directories Accessible to External Parties (CVE-ID: CVE-2022-41343)

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to insecure handling of data passed via the "src:url" field of an @font-face Cascading Style Sheets (CSS) statement inside an HTML input file to the registerFont() function in FontMetrics.php. A remote attacker can write arbitrary data to the filesystem (e.g. can create a .php file) and later execute it on the server.

Note, the vulnerability exists due to insufficient patch for #VU72315 (CVE-2022-28368).

Remediation

Install update from vendor's website.

References

• https://github.com/dompdf/dompdf/releases/tag/v2.0.1
• https://github.com/dompdf/dompdf/issues/2994
• https://github.com/dompdf/dompdf/pull/2995
• https://tantosec.com/blog/cve-2022-41343/