CVE-2021-3838
published 2024-11-15CVE-2021-3838: DomPDF before version 2.0.0 is vulnerable to PHAR deserialization due to a lack of checking on the protocol before passing it into the file_get_contents()…
PriorityP263critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.43%
69.7th percentile
DomPDF before version 2.0.0 is vulnerable to PHAR deserialization due to a lack of checking on the protocol before passing it into the file_get_contents() function. An attacker who can upload files of any type to the server can pass in the phar:// protocol to unserialize the uploaded file and instantiate arbitrary PHP objects. This can lead to remote code execution, especially when DOMPdf is used with frameworks with documented POP chains like Laravel or vulnerable developer code.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | php-dompdf | < php-dompdf 2.0.2+dfsg-1 (bookworm) | php-dompdf 2.0.2+dfsg-1 (bookworm) |
| dompdf | dompdf | >= 0 < 2.0.0 | 2.0.0 |
| dompdf | dompdf_dompdf | >= unspecified < 2.0.0 | 2.0.0 |
| dompdf_project | dompdf | < 2.0.0 | 2.0.0 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect use of the phar:// protocol wrapper being passed into file_get_contents() within DomPDF processing, which is the core exploitation vector for this vulnerability. ↗
- →Monitor for PHAR file uploads to the server combined with subsequent DomPDF HTML content referencing phar:// URIs, as this two-step pattern is required for exploitation. ↗
- →Prioritize detection in environments where DomPDF is used alongside Laravel or other PHP frameworks with known POP (Property-Oriented Programming) chains, as these dramatically increase the likelihood of RCE following successful deserialization. ↗
- ·The vulnerability is fixed in DomPDF version 2.0.0 and later. Debian bookworm and sid resolved it in 2.0.2+dfsg-1; Debian bullseye resolved it in 0.6.2+dfsg-3.1+deb11u1. Ensure the deployed version is at or above these thresholds before deprioritizing detection. ↗
- ·Exploitation requires the attacker to already have the ability to upload arbitrary file types to the server. Environments with strict upload controls (type/extension filtering) significantly reduce the attack surface. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_ubuntu6.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Dompdf vulnerabilities
vendor_ubuntu·2023-08-10·CVSS 6.5
CVE-2021-3838 [MEDIUM] Dompdf vulnerabilities
Title: Dompdf vulnerabilities
Summary: Several security issues were fixed in Dompdf.
USN-6277-1 fixed vulnerabilities in Dompdf. This update provides the
corresponding updates for Ubuntu 22.04 LTS.
Original advisory details:
It was discovered that Dompdf was not properly validating untrusted input when
processing HTML content under certain circumstances. An attacker could
possibly use this issue to expose sensitive information or execute arbitrary
code. This issue only affected Ubuntu 16.04 LTS.
(CVE-2014-5011, CVE-2014-5012, CVE-2014-5013)
It was discovered that Dompdf was not properly validating processed HTML
content that referenced PHAR files, which could result in the deserialization
of untrusted data. An attacker could possibly use this issue to execute
arbitrary code. (CVE-2021
Ubuntu
Dompdf vulnerabilities
vendor_ubuntu·2023-08-08·CVSS 6.5
CVE-2014-5011 [MEDIUM] Dompdf vulnerabilities
Title: Dompdf vulnerabilities
Summary: Several security issues were fixed in Dompdf.
It was discovered that Dompdf was not properly validating untrusted input when
processing HTML content under certain circumstances. An attacker could
possibly use this issue to expose sensitive information or execute arbitrary
code. This issue only affected Ubuntu 16.04 LTS.
(CVE-2014-5011, CVE-2014-5012, CVE-2014-5013)
It was discovered that Dompdf was not properly validating processed HTML
content that referenced PHAR files, which could result in the deserialization
of untrusted data. An attacker could possibly use this issue to execute
arbitrary code. (CVE-2021-3838)
It was discovered that Dompdf was not properly validating processed HTML
content that referenced both a remote base and a local file,
Debian
CVE-2021-3838: php-dompdf - DomPDF before version 2.0.0 is vulnerable to PHAR deserialization due to a lack ...
vendor_debian·2021·CVSS 9.8
CVE-2021-3838 [CRITICAL] CVE-2021-3838: php-dompdf - DomPDF before version 2.0.0 is vulnerable to PHAR deserialization due to a lack ...
DomPDF before version 2.0.0 is vulnerable to PHAR deserialization due to a lack of checking on the protocol before passing it into the file_get_contents() function. An attacker who can upload files of any type to the server can pass in the phar:// protocol to unserialize the uploaded file and instantiate arbitrary PHP objects. This can lead to remote code execution, especially when DOMPdf is used with frameworks with documented POP chains like Laravel or vulnerable developer code.
Scope: local
bookworm: resolved (fixed in 2.0.2+dfsg-1)
bullseye: resolved (fixed in 0.6.2+dfsg-3.1+deb11u1)
sid: resolved (fixed in 2.0.2+dfsg-1)
OSV
Deserialization of Untrusted Data in dompdf/dompdf
osv·2024-11-15
CVE-2021-3838 [CRITICAL] Deserialization of Untrusted Data in dompdf/dompdf
Deserialization of Untrusted Data in dompdf/dompdf
DomPDF before version 2.0.0 is vulnerable to PHAR (PHP Archive) deserialization due to a lack of checking on the protocol before passing it into the file_get_contents() function. An attacker who can upload files of any type to the server can pass in the phar:// protocol to unserialize the uploaded file and instantiate arbitrary PHP objects. This can lead to remote code execution, especially when DOMPdf is used with frameworks with documented POP chains like Laravel or vulnerable developer code.
GHSA
Deserialization of Untrusted Data in dompdf/dompdf
ghsa·2024-11-15
CVE-2021-3838 [CRITICAL] CWE-502 Deserialization of Untrusted Data in dompdf/dompdf
Deserialization of Untrusted Data in dompdf/dompdf
DomPDF before version 2.0.0 is vulnerable to PHAR (PHP Archive) deserialization due to a lack of checking on the protocol before passing it into the file_get_contents() function. An attacker who can upload files of any type to the server can pass in the phar:// protocol to unserialize the uploaded file and instantiate arbitrary PHP objects. This can lead to remote code execution, especially when DOMPdf is used with frameworks with documented POP chains like Laravel or vulnerable developer code.
OSV
CVE-2021-3838: DomPDF before version 2
osv·2024-11-15·CVSS 9.8
CVE-2021-3838 [CRITICAL] CVE-2021-3838: DomPDF before version 2
DomPDF before version 2.0.0 is vulnerable to PHAR deserialization due to a lack of checking on the protocol before passing it into the file_get_contents() function. An attacker who can upload files of any type to the server can pass in the phar:// protocol to unserialize the uploaded file and instantiate arbitrary PHP objects. This can lead to remote code execution, especially when DOMPdf is used with frameworks with documented POP chains like Laravel or vulnerable developer code.
OSV
php-dompdf vulnerabilities
osv·2023-08-10·CVSS 6.5
CVE-2014-5011 [MEDIUM] php-dompdf vulnerabilities
php-dompdf vulnerabilities
USN-6277-1 fixed vulnerabilities in Dompdf. This update provides the
corresponding updates for Ubuntu 22.04 LTS.
Original advisory details:
It was discovered that Dompdf was not properly validating untrusted input when
processing HTML content under certain circumstances. An attacker could
possibly use this issue to expose sensitive information or execute arbitrary
code. This issue only affected Ubuntu 16.04 LTS.
(CVE-2014-5011, CVE-2014-5012, CVE-2014-5013)
It was discovered that Dompdf was not properly validating processed HTML
content that referenced PHAR files, which could result in the deserialization
of untrusted data. An attacker could possibly use this issue to execute
arbitrary code. (CVE-2021-3838)
It was discovered that Dompdf was not properly vali
OSV
php-dompdf vulnerabilities
osv·2023-08-08·CVSS 6.5
CVE-2014-5011 [MEDIUM] php-dompdf vulnerabilities
php-dompdf vulnerabilities
It was discovered that Dompdf was not properly validating untrusted input when
processing HTML content under certain circumstances. An attacker could
possibly use this issue to expose sensitive information or execute arbitrary
code. This issue only affected Ubuntu 16.04 LTS.
(CVE-2014-5011, CVE-2014-5012, CVE-2014-5013)
It was discovered that Dompdf was not properly validating processed HTML
content that referenced PHAR files, which could result in the deserialization
of untrusted data. An attacker could possibly use this issue to execute
arbitrary code. (CVE-2021-3838)
It was discovered that Dompdf was not properly validating processed HTML
content that referenced both a remote base and a local file, which could
result in the bypass of a chroot check. An atta
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2024-11-15
Published