External Control of File Name or Path in Dompdf - CVE-2022-2400

 

External Control of File Name or Path in Dompdf - CVE-2022-2400

Published: February 16, 2023


Vulnerability identifier: #VU72317
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2022-2400
CWE-ID: CWE-73
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: dompdf
Affected software:
Dompdf

Detailed vulnerability description

The vulnerability allows a remote attacker to view arbitrary images on the system.

The vulnerability exists due to application allows an attacker to control path of the files to include into the generated PDF output. A remote attacker can pass a specially crafted path to the application and include arbitrary images from the server into the resulting PDF file.


How to mitigate CVE-2022-2400

Install updates from vendor's website.

Sources