CVE-2021-21236
Published: 6 January 2021
CairoSVG is a Python (pypi) package. CairoSVG is an SVG converter based on Cairo. In CairoSVG before version 2.5.1, there is a regular expression denial of service (REDoS) vulnerability. When processing SVG files, the python package CairoSVG uses two regular expressions which are vulnerable to Regular Expression Denial of Service (REDoS). If an attacker provides a malicious SVG, it can make cairosvg get stuck processing the file for a very long time. This is fixed in version 2.5.1. See Referenced GitHub advisory for more information.
Priority
Status
Package | Release | Status |
---|---|---|
cairosvg Launchpad, Ubuntu, Debian |
bionic |
Needs triage
|
focal |
Needs triage
|
|
groovy |
Ignored
(end of life)
|
|
hirsute |
Ignored
(end of life)
|
|
impish |
Ignored
(end of life)
|
|
jammy |
Needs triage
|
|
kinetic |
Ignored
(end of life, was needs-triage)
|
|
lunar |
Ignored
(end of life, was needs-triage)
|
|
mantic |
Needs triage
|
|
trusty |
Does not exist
|
|
upstream |
Needs triage
|
|
xenial |
Needs triage
|
Severity score breakdown
Parameter | Value |
---|---|
Base score | 5.5 |
Attack vector | Local |
Attack complexity | Low |
Privileges required | None |
User interaction | Required |
Scope | Unchanged |
Confidentiality | None |
Integrity impact | None |
Availability impact | High |
Vector | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H |
References
- https://github.com/Kozea/CairoSVG/security/advisories/GHSA-hq37-853p-g5cf
- https://github.com/Kozea/CairoSVG/commit/063185b60588a41d4df661ad70f9f7b699901abc (2.5.1)
- https://github.com/Kozea/CairoSVG/commit/cfc9175e590531d90384aa88845052de53d94bf3
- https://github.com/Kozea/CairoSVG/releases/tag/2.5.1
- https://pypi.org/project/CairoSVG/
- https://www.cve.org/CVERecord?id=CVE-2021-21236
- NVD
- Launchpad
- Debian