Main Vulnerability Database Vulnerabilities #VU72317

External Control of File Name or Path in Dompdf - CVE-2022-2400

Published: February 16, 2023

Vulnerability identifier: #VU72317

CSH Severity: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2022-2400

CWE-ID: CWE-73

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Dompdf

Software vendor:
dompdf

Description

The vulnerability allows a remote attacker to view arbitrary images on the system.

The vulnerability exists due to application allows an attacker to control path of the files to include into the generated PDF output. A remote attacker can pass a specially crafted path to the application and include arbitrary images from the server into the resulting PDF file.

Remediation

Install updates from vendor's website.

External links

https://huntr.dev/bounties/a6da5e5e-86be-499a-a3c3-2950f749202a
https://github.com/dompdf/dompdf/commit/99aeec1efec9213e87098d42eb09439e7ee0bb6a

External Control of File Name or Path in Dompdf - CVE-2022-2400

Description

Remediation

External links

Please verify you're human