CVE-2023-38633

MEDIUM

librsvg 2.42.3-2.46.6 - Directory Traversal via URL Decoder

Title source: llm
STIX 2.1

Description

A directory traversal problem in the URL decoder of librsvg before 2.56.3 could be used by local or remote attackers to disclose files (on the local filesystem outside of the expected area), as demonstrated by href=".?../../../../../../../../../../etc/passwd" in an xi:include element.

References (12)

Core 12
Core References
Issue Tracking, Patch, Third Party Advisory
https://bugzilla.suse.com/show_bug.cgi?id=1213502
Exploit, Issue Tracking, Vendor Advisory
https://gitlab.gnome.org/GNOME/librsvg/-/issues/996
Issue Tracking, Third Party Advisory
https://news.ycombinator.com/item?id=37415799
Exploit, Technical Description, Third Party Advisory
https://www.canva.dev/blog/engineering/when-url-parsers-disagree-cve-2023-38633/
Mailing List, Not Applicable, Third Party Advisory mailing-list
http://seclists.org/fulldisclosure/2023/Jul/43
Exploit, Mailing List, Third Party Advisory mailing-list
http://www.openwall.com/lists/oss-security/2023/07/27/1
Third Party Advisory vendor-advisory
https://www.debian.org/security/2023/dsa-5484

Scores

CVSS v3 5.5
EPSS 0.4361
EPSS Percentile 97.6%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Details

CWE
CWE-22
Status published
Products (5)
debian/debian_linux 11.0
debian/debian_linux 12.0
fedoraproject/fedora 37
fedoraproject/fedora 38
gnome/librsvg 2.42.3 - 2.46.6
Published Jul 22, 2023
Tracked Since Feb 18, 2026