Back to bug 2224945
| Who | When | What | Removed | Added |
|---|---|---|---|---|
| Sandipan Roy | 2023-07-24 03:17:20 UTC | Depends On | 2224947, 2224946 | |
| Sandipan Roy | 2023-07-24 03:17:21 UTC | Blocks | 2224948 | |
| TEJ RATHI | 2023-07-25 06:43:39 UTC | CC | bdettelb, jsherril, mclasen | |
| Sandipan Roy | 2023-07-25 06:49:41 UTC | CC | mclasen | |
| TEJ RATHI | 2023-07-26 08:16:35 UTC | CC | jsherril | |
| CC | mclasen | |||
| TEJ RATHI | 2023-07-26 08:22:33 UTC | Doc Text | A directory traversal vulnerability was discovered in the URL decoder of Librsvg. This flaw could be exploited by an attackers to disclose files (on the local filesystem outside of the expected area), when xinclude href has special characters; demonstrated by href=".?../../../../../../../../../../etc/passwd" in an xi:include element. | |
| TEJ RATHI | 2023-07-26 08:29:45 UTC | Doc Text | A directory traversal vulnerability was discovered in the URL decoder of Librsvg. This flaw could be exploited by an attackers to disclose files (on the local filesystem outside of the expected area), when xinclude href has special characters; demonstrated by href=".?../../../../../../../../../../etc/passwd" in an xi:include element. | A directory traversal vulnerability was discovered in the URL decoder of Librsvg. This flaw could be exploited by an attacker by sending a specially crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system (on the local filesystem outside of the expected area). |
| TEJ RATHI | 2023-07-26 08:32:45 UTC | Doc Text | A directory traversal vulnerability was discovered in the URL decoder of Librsvg. This flaw could be exploited by an attacker by sending a specially crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system (on the local filesystem outside of the expected area). | A directory traversal vulnerability was discovered in the URL decoder of Librsvg. The vulnerability can be exploited when xinclude href has special characters; demonstrated by href=".?../../../../../../../../../../etc/passwd" in an xi:include element. An attacker could send a specially crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system, affecting the data confidentiality. |
| TEJ RATHI | 2023-07-26 08:34:31 UTC | Alias | TRIAGE-CVE-2023-38633 | CVE-2023-38633 |
| Summary | TRIAGE-CVE-2023-38633 librsvg: Arbitrary file read when xinclude href has special characters | CVE-2023-38633 CVE-2023-38633 librsvg: Arbitrary file read when xinclude href has special characters | ||
| TEJ RATHI | 2023-07-26 08:35:35 UTC | Depends On | 2226692, 2226690, 2226689, 2226694, 2226695, 2226693, 2226691, 2226696 | |
| TEJ RATHI | 2023-07-26 08:37:16 UTC | Summary | CVE-2023-38633 CVE-2023-38633 librsvg: Arbitrary file read when xinclude href has special characters | CVE-2023-38633 librsvg: Arbitrary file read when xinclude href has special characters |
| Paige Jung | 2023-07-26 16:29:10 UTC | Doc Text | A directory traversal vulnerability was discovered in the URL decoder of Librsvg. The vulnerability can be exploited when xinclude href has special characters; demonstrated by href=".?../../../../../../../../../../etc/passwd" in an xi:include element. An attacker could send a specially crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system, affecting the data confidentiality. | A directory traversal vulnerability was discovered in the URL decoder of Librsvg. This issue occurs when xinclude href has special characters; demonstrated by href=".?../../../../../../../../../../etc/passwd" in an xi:include element, which can allow an attacker to send a specially crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system, affecting the data confidentiality. |
| David King | 2023-08-09 10:20:43 UTC | CC | dking | |
| Bryan Mason | 2023-08-09 17:54:47 UTC | CC | bmason | |
| TEJ RATHI | 2023-08-16 12:00:13 UTC | Severity | high | medium |
| Priority | high | medium |
Back to bug 2224945