CVE-2021-3902 — CRITICAL (9.8)

Q: How severe is CVE-2021-3902?

CVE-2021-3902 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Q: Is there a patch for CVE-2021-3902?

Check the references section above for vendor advisories and patch information. Affected products include: Dompdf Project Dompdf.

Vulnerability Description

An improper restriction of external entities (XXE) vulnerability in dompdf/dompdf's SVG parser allows for Server-Side Request Forgery (SSRF) and deserialization attacks. This issue affects all versions prior to 2.0.0. The vulnerability can be exploited even if the isRemoteEnabled option is set to false. It allows attackers to perform SSRF, disclose internal image files, and cause PHAR deserialization attacks.

CVSS Score

9.8

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Dompdf Project	Dompdf	< 2.0.0

Related Weaknesses (CWE)

CWE-611

References

https://github.com/dompdf/dompdf/commit/f56bc8e40be6c0ae0825e6c7396f4db80620b799Patch
https://huntr.com/bounties/a6071c07-806f-429a-8656-a4742e4191b1ExploitIssue TrackingPatch

FAQ

What is CVE-2021-3902?

CVE-2021-3902 is a vulnerability with a CVSS score of 9.8 (CRITICAL). An improper restriction of external entities (XXE) vulnerability in dompdf/dompdf's SVG parser allows for Server-Side Request Forgery (SSRF) and deserialization attacks. This issue affects all version...

How severe is CVE-2021-3902?

CVE-2021-3902 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2021-3902?

Check the references section above for vendor advisories and patch information. Affected products include: Dompdf Project Dompdf.