CVE-2019-20446 — Uncontrolled Resource Consumption in Librsvg
Severity
6.5MEDIUMNVD
OSV7.8
EPSS
1.3%
top 20.03%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedFeb 2
Latest updateMay 24
Description
In xml.rs in GNOME librsvg before 2.46.2, a crafted SVG file with nested patterns can cause denial of service when passed to the library for processing. The attacker constructs pattern elements so that the number of final rendered objects grows exponentially.
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6
Affected Packages5 packages
Also affects: Debian Linux 9.0, Fedora 30, 31, Ubuntu Linux 16.04, 18.04
🔴Vulnerability Details
4📋Vendor Advisories
4💬Community
6Bugzilla▶
CVE-2019-20446 chromium: librsvg: Resource exhaustion via crafted SVG file with nested patterns [epel-all]↗2020-02-03
Bugzilla▶
CVE-2019-20446 thunderbird: librsvg: Resource exhaustion via crafted SVG file with nested patterns [fedora-all]↗2020-02-03
Bugzilla▶
CVE-2019-20446 chromium: librsvg: Resource exhaustion via crafted SVG file with nested patterns [fedora-all]↗2020-02-03
Bugzilla
▶
Bugzilla▶
CVE-2019-20446 firefox: librsvg: Resource exhaustion via crafted SVG file with nested patterns [fedora-all]↗2020-02-03