CVE-2021-3902
published 2024-11-15CVE-2021-3902: An improper restriction of external entities (XXE) vulnerability in dompdf/dompdf's SVG parser allows for Server-Side Request Forgery (SSRF) and…
PriorityP356critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.92%
55.9th percentile
An improper restriction of external entities (XXE) vulnerability in dompdf/dompdf's SVG parser allows for Server-Side Request Forgery (SSRF) and deserialization attacks. This issue affects all versions prior to 2.0.0. The vulnerability can be exploited even if the isRemoteEnabled option is set to false. It allows attackers to perform SSRF, disclose internal image files, and cause PHAR deserialization attacks.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | php-dompdf | < php-dompdf 2.0.2+dfsg-1 (bookworm) | php-dompdf 2.0.2+dfsg-1 (bookworm) |
| dompdf | dompdf | >= 0 < 2.0.0 | 2.0.0 |
| dompdf | dompdf_dompdf | >= unspecified < 2.0.0 | 2.0.0 |
| dompdf_project | dompdf | < 2.0.0 | 2.0.0 |
Detection & IOCsextracted from sources · hover to see the quote
- →The XXE vulnerability in dompdf's SVG parser can be exploited even when isRemoteEnabled is set to false — detection logic should not assume that disabling remote access mitigates the attack ↗
- →Monitor for SSRF attempts originating from dompdf SVG parsing, including unexpected outbound HTTP/file requests triggered during PDF rendering ↗
- →Monitor for PHAR deserialization attack patterns triggered via dompdf SVG parsing — look for phar:// stream wrapper usage in file paths passed to dompdf ↗
- →Monitor for XXE payloads within SVG content submitted to dompdf, including external entity declarations referencing internal file paths or remote URLs ↗
- ·Setting isRemoteEnabled to false does NOT prevent exploitation of this vulnerability — the attack is possible regardless of this configuration option ↗
- ·All dompdf versions prior to 2.0.0 are affected; Debian-tracked fix is in version 2.0.2+dfsg-1 for bookworm/sid ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
vendor_debian9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Debian
CVE-2021-3902: php-dompdf - An improper restriction of external entities (XXE) vulnerability in dompdf/dompd...
vendor_debian·2021·CVSS 9.8
CVE-2021-3902 [CRITICAL] CVE-2021-3902: php-dompdf - An improper restriction of external entities (XXE) vulnerability in dompdf/dompd...
An improper restriction of external entities (XXE) vulnerability in dompdf/dompdf's SVG parser allows for Server-Side Request Forgery (SSRF) and deserialization attacks. This issue affects all versions prior to 2.0.0. The vulnerability can be exploited even if the isRemoteEnabled option is set to false. It allows attackers to perform SSRF, disclose internal image files, and cause PHAR deserialization attacks.
Scope: local
bookworm: resolved (fixed in 2.0.2+dfsg-1)
bullseye: resolved
sid: resolved (fixed in 2.0.2+dfsg-1)
GHSA
Improper Restriction of XML External Entity Reference in dompdf/dompdf
ghsa·2024-11-15
CVE-2021-3902 [CRITICAL] CWE-611 Improper Restriction of XML External Entity Reference in dompdf/dompdf
Improper Restriction of XML External Entity Reference in dompdf/dompdf
An improper restriction of external entities (XXE) vulnerability in dompdf/dompdf's SVG parser allows for Server-Side Request Forgery (SSRF) and deserialization attacks. This issue affects all versions prior to 2.0.0. The vulnerability can be exploited even if the isRemoteEnabled option is set to false. It allows attackers to perform SSRF, disclose internal image files, and cause PHAR deserialization attacks.
OSV
Improper Restriction of XML External Entity Reference in dompdf/dompdf
osv·2024-11-15
CVE-2021-3902 [CRITICAL] Improper Restriction of XML External Entity Reference in dompdf/dompdf
Improper Restriction of XML External Entity Reference in dompdf/dompdf
An improper restriction of external entities (XXE) vulnerability in dompdf/dompdf's SVG parser allows for Server-Side Request Forgery (SSRF) and deserialization attacks. This issue affects all versions prior to 2.0.0. The vulnerability can be exploited even if the isRemoteEnabled option is set to false. It allows attackers to perform SSRF, disclose internal image files, and cause PHAR deserialization attacks.
OSV
CVE-2021-3902: An improper restriction of external entities (XXE) vulnerability in dompdf/dompdf's SVG parser allows for Server-Side Request Forgery (SSRF) and deser
osv·2024-11-15·CVSS 9.8
CVE-2021-3902 [CRITICAL] CVE-2021-3902: An improper restriction of external entities (XXE) vulnerability in dompdf/dompdf's SVG parser allows for Server-Side Request Forgery (SSRF) and deser
An improper restriction of external entities (XXE) vulnerability in dompdf/dompdf's SVG parser allows for Server-Side Request Forgery (SSRF) and deserialization attacks. This issue affects all versions prior to 2.0.0. The vulnerability can be exploited even if the isRemoteEnabled option is set to false. It allows attackers to perform SSRF, disclose internal image files, and cause PHAR deserialization attacks.
No detection rules found.
No public exploits indexed.
2024-11-15
Published