CVE-2023-45139

CVSS V2 None CVSS V3 None

Description

fontTools is a library for manipulating fonts, written in Python. The subsetting module has a XML External Entity Injection (XXE) vulnerability which allows an attacker to resolve arbitrary entities when a candidate font (OT-SVG fonts), which contains a SVG table, is parsed. This allows attackers to include arbitrary files from the filesystem fontTools is running on or make web requests from the host system. This vulnerability has been patched in version 4.43.0.

Overview

CVE ID
CVE-2023-45139

Assigner
GitHub_M

Vulnerability Status
PUBLISHED

Published Version
2024-01-10T16:03:08.770Z

Last Modified Date
2024-01-10T16:03:08.770Z

Weakness Enumerations

CWE	URL
CWE-611	http://cwe.mitre.org/data/definitions/611.html

References

Reference URL	Reference Tags
https://github.com/fonttools/fonttools/security/advisories/GHSA-6673-4983-2vx5	x_refsource_CONFIRM
https://github.com/fonttools/fonttools/commit/9f61271dc1ca82ed91f529b130fe5dc5c9bf1f4c	x_refsource_MISC
https://github.com/fonttools/fonttools/releases/tag/4.43.0	x_refsource_MISC
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VY63B4SGY4QOQGUXMECRGD6K3YT3GJ75/
http://www.openwall.com/lists/oss-security/2024/03/09/1
http://www.openwall.com/lists/oss-security/2024/03/08/2

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2023-45139
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45139

History

Created	Old Value	New Value	Data Type	Notes
2024-06-25 09:50:55				Added to TrackCVE