{ "schema_version": "1.4.0", "id": "GHSA-6x28-7h8c-chx4", "modified": "2022-09-30T04:31:01Z", "published": "2022-09-26T00:00:23Z", "aliases": [ "CVE-2022-41343" ], "summary": "Dompdf allows remote file inclusion because URI validation failure does not halt font registration", "details": "`registerFont` in `FontMetrics.php` in Dompdf before 2.0.1 allows remote file inclusion because a URI validation failure does not halt font registration, as demonstrated by a `@font-face` rule.", "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" } ], "affected": [ { "package": { "ecosystem": "Packagist", "name": "dompdf/dompdf" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "2.0.1" } ] } ] } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41343" }, { "type": "WEB", "url": "https://github.com/dompdf/dompdf/issues/2994" }, { "type": "WEB", "url": "https://github.com/dompdf/dompdf/pull/2995" }, { "type": "WEB", "url": "https://github.com/dompdf/dompdf/commit/66431c58017d5b1bdb9f6f772b9fbbc5e3d38dc2" }, { "type": "WEB", "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/dompdf/dompdf/CVE-2022-41343.yaml" }, { "type": "ADVISORY", "url": "https://github.com/advisories/GHSA-6x28-7h8c-chx4" }, { "type": "PACKAGE", "url": "https://github.com/dompdf/dompdf" }, { "type": "WEB", "url": "https://github.com/dompdf/dompdf/releases/tag/v2.0.1" }, { "type": "WEB", "url": "https://tantosec.com/blog/cve-2022-41343" } ], "database_specific": { "cwe_ids": [ "CWE-552" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2022-09-30T04:31:01Z", "nvd_published_at": "2022-09-25T19:15:00Z" } }