| Name | CVE-2021-3902 |
| Description | An improper restriction of external entities (XXE) vulnerability in dompdf/dompdf's SVG parser allows for Server-Side Request Forgery (SSRF) and deserialization attacks. This issue affects all versions prior to 2.0.0. The vulnerability can be exploited even if the isRemoteEnabled option is set to false. It allows attackers to perform SSRF, disclose internal image files, and cause PHAR deserialization attacks. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|
| php-dompdf (PTS) | jessie | 0.6.1+dfsg-2+deb8u1 | vulnerable |
| stretch | 0.6.2+dfsg-3 | vulnerable |
| buster (security), buster, buster (lts) | 0.6.2+dfsg-3+deb10u2 | fixed |
| bullseye | 0.6.2+dfsg-3.1 | fixed |
| bookworm | 2.0.3+dfsg-1 | fixed |
| sid, trixie | 3.0.0+dfsg-2 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|
| php-dompdf | source | jessie | (unfixed) | end-of-life | | |
| php-dompdf | source | stretch | (unfixed) | end-of-life | | |
| php-dompdf | source | buster | (not affected) | | | |
| php-dompdf | source | bullseye | (not affected) | | | |
| php-dompdf | source | (unstable) | 2.0.2+dfsg-1 | | | |
Notes
[bullseye] - php-dompdf <not-affected> (current code reject svg image. Double checked by testing)
[buster] - php-dompdf <not-affected> (current code reject svg image. Double checked by testing)
https://github.com/dompdf/dompdf/issues/2564
https://huntr.dev/bounties/a6071c07-806f-429a-8656-a4742e4191b1
https://github.com/dompdf/dompdf/commit/f56bc8e40be6c0ae0825e6c7396f4db80620b799 (v2.0.0)