CVE-2024-28184

WeasyPrint helps web developers to create PDF documents. Since version 61.0, there's a vulnerability which allows attaching content of arbitrary files and URLs to a generated PDF document, even if `url_fetcher` is configured to prevent access to files and URLs. This vulnerability has been patched in version 61.2.

CVSS v3 7.4 HIGH

7.4^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.1 / Impact : 3.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact LOW

Scope CHANGED

References

Link	Resource
https://github.com/Kozea/WeasyPrint/commit/734ee8e2dc84ff3090682f3abff056d0907c8598
https://github.com/Kozea/WeasyPrint/security/advisories/GHSA-35jj-wx47-4w8r
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZLQZMOEDY72TS43HDXOBVID2VYCTWIH6/

Configurations

No configuration.

History

23 Mar 2024, 03:15

Type	Values Removed	Values Added
Summary		(es) WeasyPrint ayuda a los desarrolladores web a crear documentos PDF. Desde la versión 61.0, existe una vulnerabilidad que permite adjuntar contenido de archivos y URL arbitrarios a un documento PDF generado, incluso si `url_fetcher` está configurado para impedir el acceso a archivos y URL. Esta vulnerabilidad ha sido parcheada en la versión 61.2.
References		() https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZLQZMOEDY72TS43HDXOBVID2VYCTWIH6/ -

09 Mar 2024, 01:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-03-09 01:15

Updated : 2024-03-23 03:15

NVD link : CVE-2024-28184

Mitre link : CVE-2024-28184

CVE.ORG link : CVE-2024-28184

JSON object : View

Products Affected

No product.

CWE

CWE-829

Inclusion of Functionality from Untrusted Control Sphere

7.4 /10