CVE-2023-38633 – librsvg: Arbitrary file read when xinclude href has special characters

https://notcve.org/view.php?id=CVE-2023-38633

A directory traversal problem in the URL decoder of librsvg before 2.56.3 could be used by local or remote attackers to disclose files (on the local filesystem outside of the expected area), as demonstrated by href=".?../../../../../../../../../../etc/passwd" in an xi:include element. A directory traversal vulnerability was discovered in the URL decoder of Librsvg. This issue occurs when xinclude href has special characters; demonstrated by href=".?.. • http://seclists.org/fulldisclosure/2023/Jul/43 http://www.openwall.com/lists/oss-security/2023/07/27/1 http://www.openwall.com/lists/oss-security/2023/09/06/10 https://bugzilla.suse.com/show_bug.cgi?id=1213502 https://gitlab.gnome.org/GNOME/librsvg/-/issues/996 https://gitlab.gnome.org/GNOME/librsvg/-/releases/2.56.3 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/422NTIHIEBRASIG2DWXYBH4ADYMHY626 https://lists.fedoraproject.org • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •