CVE-2019-20446

In xml.rs in GNOME librsvg before 2.46.2, a crafted SVG file with nested patterns can cause denial of service when passed to the library for processing. The attacker constructs pattern elements so that the number of final rendered objects grows exponentially.

Published: Feb 2, 2020
Updated: Apr 13, 2023
CVE: CVE-2019-20446
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 6.5
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

CVSS v2:

Severity: Low
Score: 4.3
AV:N/AC:M/Au:N/C:N/I:N/A:P

CWEs:

CWE-400

Affected Software
References

Software	From	Fixed in
gnome / librsvg	2.44.0	2.44.16
gnome / librsvg	2.42.0	2.42.8
gnome / librsvg	-	2.40.21
opensuse / leap	15.1	15.1.x
fedoraproject / fedora	30	30.x
fedoraproject / fedora	31	31.x
debian / debian_linux	9.0	9.0.x
canonical / ubuntu_linux	16.04	16.04.x
canonical / ubuntu_linux	18.04	18.04.x

http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00024.html
https://gitlab.gnome.org/GNOME/librsvg/issues/515
https://lists.debian.org/debian-lts-announce/2020/07/msg00016.html
https://lists.fedoraproject.org/archives/list/[email protected]/message/6IOHSO6BUKC6I66J5PZOMAGFVJ66ZS57/
https://lists.fedoraproject.org/archives/list/[email protected]/message/X3B5RWJQD5LA45MYLLR55KZJOJ5NVZGP/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6IOHSO6BUKC6I66J5PZOMAGFVJ66ZS57/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X3B5RWJQD5LA45MYLLR55KZJOJ5NVZGP/
https://security.netapp.com/advisory/ntap-20221111-0004/
https://usn.ubuntu.com/4436-1/

Vulnerability Database

289,784

CVE-2019-20446