CVE-2023-45139
7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
fontTools is a library for manipulating fonts, written in Python. The subsetting module has a XML External Entity Injection (XXE) vulnerability which allows an attacker to resolve arbitrary entities when a candidate font (OT-SVG fonts), which contains a SVG table, is parsed. This allows attackers to include arbitrary files from the filesystem fontTools is running on or make web requests from the host system. This vulnerability has been patched in version 4.43.0.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| fonttools | fonttools | >= 4.28.2, < 4.43.0 | affected |
Weaknesses
- CWE-611: CWE-611: Improper Restriction of XML External Entity Reference
ADP Enrichment
CVE Program Container
Additional References
- https://github.com/fonttools/fonttools/security/advisories/GHSA-6673-4983-2vx5
- https://github.com/fonttools/fonttools/commit/9f61271dc1ca82ed91f529b130fe5dc5c9bf1f4c
- https://github.com/fonttools/fonttools/releases/tag/4.43.0
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VY63B4SGY4QOQGUXMECRGD6K3YT3GJ75/
- http://www.openwall.com/lists/oss-security/2024/03/09/1
- http://www.openwall.com/lists/oss-security/2024/03/08/2
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: yes
- Technical Impact: partial
References
- https://github.com/fonttools/fonttools/security/advisories/GHSA-6673-4983-2vx5
- https://github.com/fonttools/fonttools/commit/9f61271dc1ca82ed91f529b130fe5dc5c9bf1f4c
- https://github.com/fonttools/fonttools/releases/tag/4.43.0
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VY63B4SGY4QOQGUXMECRGD6K3YT3GJ75/
- http://www.openwall.com/lists/oss-security/2024/03/09/1
- http://www.openwall.com/lists/oss-security/2024/03/08/2
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.