CVE-2021-21236
Published: 6 January 2021
CairoSVG is a Python (pypi) package. CairoSVG is an SVG converter based on Cairo. In CairoSVG before version 2.5.1, there is a regular expression denial of service (REDoS) vulnerability. When processing SVG files, the python package CairoSVG uses two regular expressions which are vulnerable to Regular Expression Denial of Service (REDoS). If an attacker provides a malicious SVG, it can make cairosvg get stuck processing the file for a very long time. This is fixed in version 2.5.1. See Referenced GitHub advisory for more information.
Priority
Status
Package | Release | Status |
---|---|---|
cairosvg Launchpad, Ubuntu, Debian |
upstream |
Needs triage
|
groovy |
Ignored
(end of life)
|
|
bionic |
Needs triage
|
|
focal |
Needs triage
|
|
hirsute |
Ignored
(end of life)
|
|
trusty |
Does not exist
|
|
xenial |
Needs triage
|
|
kinetic |
Ignored
(end of life, was needs-triage)
|
|
jammy |
Needs triage
|
|
impish |
Ignored
(end of life)
|
|
mantic |
Needs triage
|
|
lunar |
Ignored
(end of life, was needs-triage)
|
Severity score breakdown
Parameter | Value |
---|---|
Base score | 5.5 |
Attack vector | Local |
Attack complexity | Low |
Privileges required | None |
User interaction | Required |
Scope | Unchanged |
Confidentiality | None |
Integrity impact | None |
Availability impact | High |
Vector | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H |
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21236
- https://github.com/Kozea/CairoSVG/security/advisories/GHSA-hq37-853p-g5cf
- https://github.com/Kozea/CairoSVG/commit/063185b60588a41d4df661ad70f9f7b699901abc (2.5.1)
- https://github.com/Kozea/CairoSVG/commit/cfc9175e590531d90384aa88845052de53d94bf3
- https://github.com/Kozea/CairoSVG/releases/tag/2.5.1
- https://pypi.org/project/CairoSVG/
- NVD
- Launchpad
- Debian