CVE-2023-45139

EUVD-2024-0267
fontTools is a library for manipulating fonts, written in Python. The subsetting module has a XML External Entity Injection (XXE) vulnerability which allows an attacker to resolve arbitrary entities when a candidate font (OT-SVG fonts), which contains a SVG table, is parsed. This allows attackers to include arbitrary files from the filesystem fontTools is running on or make web requests from the host system. This vulnerability has been patched in version 4.43.0.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
GitHub_MCNA
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 38%
Affected Products (NVD)
VendorProductVersion
fonttoolsfonttools
4.28.2 ≤
𝑥
< 4.43.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
fonttools
bookworm
no-dsa
bullseye
4.19.1-1
not-affected
buster
not-affected
sid
4.55.0-3
fixed
trixie
4.55.0-3
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
fonttools
bionic
needs-triage
focal
needs-triage
jammy
needs-triage
lunar
ignored
mantic
ignored
noble
not-affected
oracular
not-affected
trusty
ignored
xenial
needs-triage
Common Weakness Enumeration
References
http://www.openwall.com/lists/oss-security/2024/03/08/2
http://www.openwall.com/lists/oss-security/2024/03/09/1
https://github.com/fonttools/fonttools/commit/9f61271dc1ca82ed91f529b130fe5dc5c9bf1f4c
https://github.com/fonttools/fonttools/releases/tag/4.43.0
https://github.com/fonttools/fonttools/security/advisories/GHSA-6673-4983-2vx5
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VY63B4SGY4QOQGUXMECRGD6K3YT3GJ75/
http://www.openwall.com/lists/oss-security/2024/03/08/2
http://www.openwall.com/lists/oss-security/2024/03/09/1
https://github.com/fonttools/fonttools/commit/9f61271dc1ca82ed91f529b130fe5dc5c9bf1f4c
https://github.com/fonttools/fonttools/releases/tag/4.43.0
https://github.com/fonttools/fonttools/security/advisories/GHSA-6673-4983-2vx5
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VY63B4SGY4QOQGUXMECRGD6K3YT3GJ75/