EIQ-2021-0004

ID	EIQ-2021-0004
CVE	CVE-2021-21236
Description	CairoSVG is vulnerable to regular expression denial of service
Date	25 Jan 2021
Severity	2 - MEDIUM
CVSSv3 score	5.5
Status	✅ 2.10.0
Assessment	CairoSVG is an SVG converter based on Cairo. CairoSVG versions 2.5.0 and earlier is vulnerable to regular expression denial of service (ReDoS). Affected versions of the SVG converter may take quadratic time to parse crafted regular expressions such as the ones described in the Regular Expression Denial of Service and the SNYK-PYTHON-CAIROSVG-1056423 vulnerability advisories. A signed-in user without admin access rights could exploit the vulnerability if they have at least the following permission: modify blob-uploads To exploit the vulnerability, the user would need to manually upload a maliciously crafted .svg file to the platform. Parsing the .svg file content with cairosvg would take quadratic time, which is computationally expensive. This may result in a denial of service (CPU consumption): the currently active platform view may freeze. To restore the view, the user would need to refresh the browser tab.
Mitigation	CairoSVG 2.5.1 addresses the vulnerability.
Affected versions	2.9.1 and earlier.
Notes	For more information, see: CVE-2021-21236 on mitre.org CWE-400: Uncontrolled Resource Consumption SNYK-PYTHON-CAIROSVG-1056423 Regular Expression Denial of Service (ReDoS - GitHub security issue) GitHub commit with the fix