QwikSec

Security Database

CVE

CWE

Training

CVE-2023-38633

Published: Jul 22, 2023

Modified: Aug 2, 2024

PUBLISHED

Description

A directory traversal problem in the URL decoder of librsvg before 2.56.3 could be used by local or remote attackers to disclose files (on the local filesystem outside of the expected area), as demonstrated by href=".?../../../../../../../../../../etc/passwd" in an xi:include element.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

https://gitlab.gnome.org/GNOME/librsvg/-/issues/996

https://bugzilla.suse.com/show_bug.cgi?id=1213502

https://gitlab.gnome.org/GNOME/librsvg/-/releases/2.56.3

20230724 APPLE-SA-2023-07-24-1 Safari 16.6

mailing-list

[oss-security] 20230727 CVE-2023-38633 in librsvg: Arbitrary file read when xinclude href has special characters

mailing-list

FEDORA-2023-fc79ee273d

vendor-advisory

FEDORA-2023-0873c38acd

vendor-advisory

vendor-advisory

https://security.netapp.com/advisory/ntap-20230831-0011/

[oss-security] 20230906 Re: CVE-2023-38633 in librsvg: Arbitrary file read when xinclude href has special characters

mailing-list

https://www.canva.dev/blog/engineering/when-url-parsers-disagree-cve-2023-38633/

https://news.ycombinator.com/item?id=37415799

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.