The SVG Salamander (aka svgSalamander) library, when used in a web application, allows remote attackers to conduct server-side request forgery (SSRF) attacks via an xlink:href attribute in an SVG file.

The remote host is affected by the vulnerability described in GLSA-202003-11 (SVG Salamander: Server-Side Request Forgery)

    A Server-Side Request Forgery was discovered in SVG Salamander.
  Impact :

    An attacker, by sending a specially crafted SVG file, can conduct SSRF.
  Workaround :

    There is no known workaround at this time.

New upstream release with security fix for CVE-2017-5617

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Luc Lynx discovered that SVG Salamander, a SVG engine for Java was susceptible to server side request forgery.

Luc Lynx discovered a Server-Side Request Forgery in svgSalamander allowing access to the trusted network with specially crafted SVG files.

For Debian 7 'Wheezy', these problems have been fixed in version 0~svn95-1+deb7u1.

We recommend that you upgrade your svgsalamander packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
134588	GLSA-202003-11 : SVG Salamander: Server-Side Request Forgery	Nessus	Gentoo Local Security Checks	high
124505	Fedora 30 : svgsalamander (2019-735d3953e8)	Nessus	Fedora Local Security Checks	high
123474	Fedora 29 : svgsalamander (2019-3cbce64a64)	Nessus	Fedora Local Security Checks	high
96984	Debian DSA-3781-1 : svgsalamander - security update	Nessus	Debian Local Security Checks	high
96983	Debian DLA-816-1 : svgsalamander security update	Nessus	Debian Local Security Checks	high

Detections

Analytics

CVE-2017-5617

high

Tenable Plugins

high

high

high

high

high