CVE-2019-20446

medium

Description

In xml.rs in GNOME librsvg before 2.46.2, a crafted SVG file with nested patterns can cause denial of service when passed to the library for processing. The attacker constructs pattern elements so that the number of final rendered objects grows exponentially.

References

http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00024.html

https://gitlab.gnome.org/GNOME/librsvg/issues/515

https://lists.debian.org/debian-lts-announce/2020/07/msg00016.html

https://lists.fedoraproject.org/archives/list/[email protected]/message/6IOHSO6BUKC6I66J5PZOMAGFVJ66ZS57/

https://lists.fedoraproject.org/archives/list/[email protected]/message/X3B5RWJQD5LA45MYLLR55KZJOJ5NVZGP/

https://usn.ubuntu.com/4436-1/

Details

Source: MITRE

Published: 2020-02-02

Updated: 2021-01-05

Type: CWE-400

Risk Information

CVSS v2

Base Score: 4.3

Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P

Impact Score: 2.9

Exploitability Score: 8.6

Severity: MEDIUM

CVSS v3

Base Score: 6.5

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Impact Score: 3.6

Exploitability Score: 2.8

Severity: MEDIUM