CVE-2021-3838

Source
https://nvd.nist.gov/vuln/detail/CVE-2021-3838
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-3838.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2021-3838
Aliases
Related
Published
2024-11-15T11:15:05Z
Modified
2024-12-24T10:48:32.475206Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

DomPDF before version 2.0.0 is vulnerable to PHAR deserialization due to a lack of checking on the protocol before passing it into the filegetcontents() function. An attacker who can upload files of any type to the server can pass in the phar:// protocol to unserialize the uploaded file and instantiate arbitrary PHP objects. This can lead to remote code execution, especially when DOMPdf is used with frameworks with documented POP chains like Laravel or vulnerable developer code.

References

Affected packages

Debian:11 / php-dompdf

Package

Name
php-dompdf
Purl
pkg:deb/debian/php-dompdf?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.6.2+dfsg-3.1
0.6.2+dfsg-4

2.*

2.0.2+dfsg-1
2.0.2+dfsg-2
2.0.3+dfsg-1
2.0.3+dfsg-2
2.0.3+dfsg-3
2.0.3+dfsg-4
2.0.4+dfsg-1
2.0.4+dfsg-2
2.0.7+dfsg-1

3.*

3.0.0+dfsg-1
3.0.0+dfsg-2
3.0.1+dfsg-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / php-dompdf

Package

Name
php-dompdf
Purl
pkg:deb/debian/php-dompdf?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.0.2+dfsg-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/dompdf/dompdf

Affected ranges

Type
GIT
Repo
https://github.com/dompdf/dompdf
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed

Affected versions

v0.*

v0.6.0
v0.6.0-b3
v0.6.1
v0.6.2
v0.7.0
v0.7.0-beta
v0.7.0-beta2
v0.7.0-beta3
v0.8.0
v0.8.1
v0.8.2
v0.8.3
v0.8.4
v0.8.5
v0.8.6

v1.*

v1.0.0
v1.0.1
v1.0.2
v1.1.0
v1.1.1
v1.2.0
v1.2.1
v1.2.2