Vulnerability Description
CairoSVG is an SVG converter based on Cairo, a 2D graphics library. Prior to version 2.7.0, Cairo can send requests to external hosts when processing SVG files. A malicious actor could send a specially crafted SVG file that allows them to perform a server-side request forgery or denial of service. Version 2.7.0 disables CairoSVG's ability to access other files online by default.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Courtbouillon | Cairosvg | < 2.7.0 |
Related Weaknesses (CWE)
References
- https://github.com/Kozea/CairoSVG/commit/12d31c653c0254fa9d9853f66b04ea46e739725Patch
- https://github.com/Kozea/CairoSVG/commit/33007d4af9195e2bfb2ff9af064c4c2d8e4b2b5Patch
- https://github.com/Kozea/CairoSVG/releases/tag/2.7.0Release Notes
- https://github.com/Kozea/CairoSVG/security/advisories/GHSA-rwmf-w63j-p7gvVendor Advisory
- https://github.com/Kozea/CairoSVG/commit/12d31c653c0254fa9d9853f66b04ea46e739725Patch
- https://github.com/Kozea/CairoSVG/commit/33007d4af9195e2bfb2ff9af064c4c2d8e4b2b5Patch
- https://github.com/Kozea/CairoSVG/releases/tag/2.7.0Release Notes
- https://github.com/Kozea/CairoSVG/security/advisories/GHSA-rwmf-w63j-p7gvVendor Advisory
FAQ
What is CVE-2023-27586?
CVE-2023-27586 is a vulnerability with a CVSS score of 9.9 (CRITICAL). CairoSVG is an SVG converter based on Cairo, a 2D graphics library. Prior to version 2.7.0, Cairo can send requests to external hosts when processing SVG files. A malicious actor could send a speciall...
How severe is CVE-2023-27586?
CVE-2023-27586 has been rated CRITICAL with a CVSS base score of 9.9/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2023-27586?
Check the references section above for vendor advisories and patch information. Affected products include: Courtbouillon Cairosvg.