{"id":"CVE-2023-38633","details":"A directory traversal problem in the URL decoder of librsvg before 2.56.3 could be used by local or remote attackers to disclose files (on the local filesystem outside of the expected area), as demonstrated by href=\".?../../../../../../../../../../etc/passwd\" in an xi:include element.","modified":"2026-04-16T04:36:10.163272911Z","published":"2023-07-22T17:15:09.810Z","related":["ALSA-2023:5081","SUSE-SU-2023:3021-1","SUSE-SU-2023:3208-1","openSUSE-SU-2024:13500-1"],"references":[{"type":"ADVISORY","url":"https://gitlab.gnome.org/GNOME/librsvg/-/releases/2.56.3"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20230831-0011/"},{"type":"ADVISORY","url":"https://www.debian.org/security/2023/dsa-5484"},{"type":"ADVISORY","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/422NTIHIEBRASIG2DWXYBH4ADYMHY626/"},{"type":"ADVISORY","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R5BCXT5GW6RCL45ZUHUZR4CJG2BAFDVC/"},{"type":"ADVISORY","url":"http://seclists.org/fulldisclosure/2023/Jul/43"},{"type":"REPORT","url":"https://gitlab.gnome.org/GNOME/librsvg/-/issues/996"},{"type":"REPORT","url":"https://news.ycombinator.com/item?id=37415799"},{"type":"FIX","url":"https://bugzilla.suse.com/show_bug.cgi?id=1213502"},{"type":"ARTICLE","url":"http://www.openwall.com/lists/oss-security/2023/09/06/10"},{"type":"EVIDENCE","url":"http://www.openwall.com/lists/oss-security/2023/07/27/1"},{"type":"EVIDENCE","url":"https://www.canva.dev/blog/engineering/when-url-parsers-disagree-cve-2023-38633/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/gnome/librsvg","events":[{"introduced":"ca640d1185745665c61689b71c627e1d020a80b7"},{"fixed":"f1e76275732f54cad528d41ea83ef7bd9fb06ea5"},{"introduced":"cc3b2fb0672052721e761ca9dd1c8ab6821cbdf9"},{"fixed":"0ca67e3c81ac67d12ad84bfc34e325e240bb5128"},{"introduced":"06dbf614196294ad96b9a8fef86e6a07c3db0bf0"},{"fixed":"a8723506b33d737a0c9c1c406c4bae76cb0fb373"},{"introduced":"1729feb4c197a7dd94fe303931d51eb843bdcaf9"},{"fixed":"3a2b6f80409be1bf2118fba0f0b073bb6005b640"},{"introduced":"bad722eb736b84e043d824df1683b63d73421ca7"},{"fixed":"168e73d43c01fe2fdca98bad674077a000b670da"},{"introduced":"8d1fef1f16a39caaa1ab150ae2de2135624649a6"},{"fixed":"41caee7eaefd5ef1e20d25bc56fd059f73b7fc2f"},{"introduced":"b831e077174ae608d8cd09e532fc0e7ce1fe5c4f"},{"fixed":"312c4b8c28c99b9051ee6de6fa966cf977b0f7b4"}],"database_specific":{"versions":[{"introduced":"2.42.3"},{"fixed":"2.46.6"},{"introduced":"2.48.0"},{"fixed":"2.48.11"},{"introduced":"2.50.0"},{"fixed":"2.50.8"},{"introduced":"2.52.0"},{"fixed":"2.52.10"},{"introduced":"2.54.0"},{"fixed":"2.54.6"},{"introduced":"2.55.0"},{"fixed":"2.55.3"},{"introduced":"2.56.0"},{"fixed":"2.56.3"}]}}],"versions":["2.48.0","2.48.1","2.48.10","2.48.2","2.48.3","2.48.4","2.48.5","2.48.6","2.48.7","2.48.8","2.48.9","2.50.0","2.50.1","2.50.2","2.50.3","2.50.4","2.50.5","2.50.6","2.50.7","2.52.0","2.52.1","2.52.2","2.52.3","2.52.4","2.52.5","2.52.6","2.52.7","2.52.8","2.52.9","2.54.0","2.54.1","2.54.2","2.54.3","2.54.4","2.54.5","2.55.0","2.55.1","2.55.2","2.56.0","2.56.1","2.56.2"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-38633.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"37"}]},{"events":[{"introduced":"0"},{"last_affected":"38"}]},{"events":[{"introduced":"0"},{"last_affected":"11.0"}]},{"events":[{"introduced":"0"},{"last_affected":"12.0"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"}]}