PT-2013-1190 · Gnome+4 · Libsvg2+5

Alexey Osipov

Published

2013-10-10

Updated

2016-12-08

CVE-2013-1881

CVSS v2.0

6.8

Medium

Vector

AV:N/AC:M/Au:N/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions librsvg2 versions 2.26.0 GNOME libsvg versions prior to 2.39.0

Description The issue allows remote attackers to read arbitrary files via an XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. This can lead to a violation of confidentiality, integrity, and availability of protected information. The exploitation of this issue can be carried out remotely.

Recommendations For librsvg2 version 2.26.0, update to a version that includes the fix for this issue. For GNOME libsvg versions prior to 2.39.0, update to version 2.39.0 or later. As a temporary workaround, consider restricting the use of XML external entities in librsvg2 until a patch is available.

Fix

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-20

Related Identifiers

ALT-PU-2013-1022

BDU:2015-07369

BDU:2015-07370

BDU:2015-07371

BDU:2015-09004

BDU:2015-09005

BDU:2015-09006

CESA-2014_0127

CVE-2013-1881

MGASA-2014-0004

OPENSUSE-SU-2024:10229-1

RHSA-2014:0127

RHSA-2014_0127

SUSE-SU-2015:1785-1

SUSE-SU-2015_1785-1

Affected Products

Alt Linux

Centos

Gnome Librsvg

Red Hat

Suse

Libsvg2

PT-2013-1190 · Gnome+4 · Libsvg2+5

CVE-2013-1881

Weakness Enumeration

Related Identifiers

Affected Products

References · 46