Description
GNOME libsvg before 2.39.0 allows remote attackers to read arbitrary files via an XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
References (9)
Core 9
Core References
Vendor Advisory vendor-advisory
x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2014-0127.html
Various Sources x_refsource_confirm
http://ftp.gnome.org/pub/GNOME/sources/librsvg/2.39/librsvg-2.39.0.changes
Issue Tracking x_refsource_confirm
https://bugzilla.gnome.org/show_bug.cgi?id=691708
Vendor Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/55088
Vendor Advisory vendor-advisory
x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-2149-1
Various Sources x_refsource_misc
http://en.securitylab.ru/lab/PT-2013-01
Mailing List vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-updates/2013-11/msg00114.html
Mailing List vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2015-10/msg00020.html
Vendor Advisory vendor-advisory
x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-2149-2
Scores
EPSS
0.0777
EPSS Percentile
92.0%
Details
CWE
CWE-20
Status
published
Products (50)
gnome/librsvg
1.0.0
gnome/librsvg
1.0.1
gnome/librsvg
1.0.2
gnome/librsvg
1.0.3
gnome/librsvg
1.1.1
gnome/librsvg
1.1.2
gnome/librsvg
1.1.3
gnome/librsvg
1.1.4
gnome/librsvg
1.1.5
gnome/librsvg
1.1.6
... and 40 more
Published
Oct 10, 2013
Tracked Since
Feb 18, 2026