This content cannot be displayed without JavaScript.
Please enable JavaScript and reload the page.

EIQ-2021-0004

ID	EIQ-2021-0004
CVE	CVE-2021-21236
Description	CairoSVG is vulnerable to regular expression denial of service
Date	25 Jan 2021
Severity	2 - MEDIUM
CVSSv3 score	5.5
Status	2.10.0
Assessment	CairoSVG is an SVG converter based on Cairo. CairoSVG versions 2.5.0 and earlier is vulnerable to regular expression denial of service (ReDoS). Affected versions of the SVG converter may take quadratic time to parse crafted regular expressions such as the ones described in the Regular Expression Denial of Service and the SNYK-PYTHON-CAIROSVG-1056423 vulnerability advisories. A signed-in user without admin access rights could exploit the vulnerability if they have at least the following permission: modify blob-uploads To exploit the vulnerability, the user would need to manually upload a maliciously crafted .svg file to the platform. Parsing the .svg file content with `cairosvg` would take quadratic time, which is computationally expensive. This may result in a denial of service (CPU consumption): the currently active platform view may freeze. To restore the view, the user would need to refresh the browser tab.
Mitigation	CairoSVG 2.5.1 addresses the vulnerability.
Affected versions	2.9.1 and earlier.
Notes	For more information, see CVE-2021-21236 on mitre.org CWE-400: Uncontrolled Resource Consumption SNYK-PYTHON-CAIROSVG-1056423 Regular Expression Denial of Service (ReDoS - GitHub security issue) GitHub commit with the fix This section is not visible to users accessing the public docs, it's for internal reference See also: not fixed for 2.9.2. `[email protected]:requirements/requirements-prod.txtL18 cairosvg==2.4.2 # via weasyprint` Slack convo in the engineering-release channel Slack convo in the psirt-ops channel

< Back to all security issues and mitigation actions

In release notes 2.9.1

In release notes 2.9.2

In release notes 2.10.0