Vulnerability Description
The SVG Salamander (aka svgSalamander) library, when used in a web application, allows remote attackers to conduct server-side request forgery (SSRF) attacks via an xlink:href attribute in an SVG file.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Debian | Debian Linux | 8.0 |
| Kitfox | Svg Salamander | - |
Related Weaknesses (CWE)
References
- http://www.debian.org/security/2017/dsa-3781Third Party Advisory
- http://www.openwall.com/lists/oss-security/2017/01/27/3Mailing ListThird Party Advisory
- http://www.openwall.com/lists/oss-security/2017/01/29/2Mailing ListThird Party Advisory
- http://www.securityfocus.com/bid/95871Third Party AdvisoryVDB Entry
- https://github.com/blackears/svgSalamander/issues/11PatchThird Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://security.gentoo.org/glsa/202003-11Third Party Advisory
- http://www.debian.org/security/2017/dsa-3781Third Party Advisory
- http://www.openwall.com/lists/oss-security/2017/01/27/3Mailing ListThird Party Advisory
- http://www.openwall.com/lists/oss-security/2017/01/29/2Mailing ListThird Party Advisory
- http://www.securityfocus.com/bid/95871Third Party AdvisoryVDB Entry
- https://github.com/blackears/svgSalamander/issues/11PatchThird Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
FAQ
What is CVE-2017-5617?
CVE-2017-5617 is a vulnerability with a CVSS score of 7.4 (HIGH). The SVG Salamander (aka svgSalamander) library, when used in a web application, allows remote attackers to conduct server-side request forgery (SSRF) attacks via an xlink:href attribute in an SVG file...
How severe is CVE-2017-5617?
CVE-2017-5617 has been rated HIGH with a CVSS base score of 7.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2017-5617?
Check the references section above for vendor advisories and patch information. Affected products include: Debian Debian Linux, Kitfox Svg Salamander.