CVE-2014-2383

Name of the Vulnerable Software and Affected Versions dompdf versions prior to 0.6.1

Description The issue allows context-dependent attackers to bypass chroot protections and read arbitrary files via a PHP protocol and wrappers in the input file parameter. This can be demonstrated by using a php://filter/read=convert.base64-encode/resource in the input file parameter when DOMPDF ENABLE PHP is enabled.

Recommendations For versions prior to 0.6.1, update to version 0.6.1 or later to resolve the issue. As a temporary workaround, consider disabling the DOMPDF ENABLE PHP option to minimize the risk of exploitation. Restrict access to the input file parameter to prevent attackers from bypassing chroot protections. Avoid using the php://filter/read=convert.base64-encode/resource wrapper in the input file parameter until the issue is resolved.