A directory traversal problem in the URL decoder of librsvg before 2.56.3 could be used by local or remote attackers to disclose files (on the local filesystem outside of the expected area), as demonstrated by href=".?../../../../../../../../../../etc/passwd" in an xi:include element. https://gitlab.gnome.org/GNOME/librsvg/-/releases/2.56.3 https://bugzilla.suse.com/show_bug.cgi?id=1213502 https://gitlab.gnome.org/GNOME/librsvg/-/issues/996
Based on https://gitlab.gnome.org/GNOME/librsvg/-/issues/996#note_1806622 it seems that this may not have been classified appropriately, and so should be downgraded to medium severity (a local file is required, not network access, as incorrectly mentioned in the CVE). Nevertheless, I am investigating backporting fixes to all applicable branches.
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Extended Update Support Via RHSA-2023:4809 https://access.redhat.com/errata/RHSA-2023:4809
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:5081 https://access.redhat.com/errata/RHSA-2023:5081