{"id":"UBUNTU-CVE-2023-38633","details":"A directory traversal problem in the URL decoder of librsvg before 2.56.3 could be used by local or remote attackers to disclose files (on the local filesystem outside of the expected area), as demonstrated by href=\".?../../../../../../../../../../etc/passwd\" in an xi:include element.","modified":"2026-02-04T03:35:06.751267Z","published":"2023-07-22T17:15:00Z","related":["USN-6266-1"],"upstream":["CVE-2023-38633"],"references":[{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2023-38633"},{"type":"REPORT","url":"https://marc.info/?i=73b96607-5080-939c-d354-33da849d195d@oracle.com"},{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-6266-1"},{"type":"REPORT","url":"https://www.cve.org/CVERecord?id=CVE-2023-38633"}],"affected":[{"package":{"name":"librsvg","ecosystem":"Ubuntu:20.04:LTS","purl":"pkg:deb/ubuntu/librsvg@2.48.9-1ubuntu0.20.04.4?arch=source&distro=focal"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.48.9-1ubuntu0.20.04.4"}]}],"versions":["2.44.14-1","2.46.4-1","2.46.4-1ubuntu1","2.48.0-1","2.48.2-1","2.48.7-1ubuntu0.20.04.1","2.48.9-1ubuntu0.20.04.1"],"ecosystem_specific":{"availability":"No subscription required","binaries":[{"binary_version":"2.48.9-1ubuntu0.20.04.4","binary_name":"gir1.2-rsvg-2.0"},{"binary_version":"2.48.9-1ubuntu0.20.04.4","binary_name":"librsvg2-2"},{"binary_version":"2.48.9-1ubuntu0.20.04.4","binary_name":"librsvg2-bin"},{"binary_version":"2.48.9-1ubuntu0.20.04.4","binary_name":"librsvg2-common"},{"binary_version":"2.48.9-1ubuntu0.20.04.4","binary_name":"librsvg2-dev"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2023/UBUNTU-CVE-2023-38633.json"}},{"package":{"name":"librsvg","ecosystem":"Ubuntu:22.04:LTS","purl":"pkg:deb/ubuntu/librsvg@2.52.5+dfsg-3ubuntu0.2?arch=source&distro=jammy"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.52.5+dfsg-3ubuntu0.2"}]}],"versions":["2.50.7+dfsg-1","2.50.7+dfsg-2","2.52.5+dfsg-1ubuntu1","2.52.5+dfsg-3"],"ecosystem_specific":{"availability":"No subscription required","binaries":[{"binary_version":"2.52.5+dfsg-3ubuntu0.2","binary_name":"gir1.2-rsvg-2.0"},{"binary_version":"2.52.5+dfsg-3ubuntu0.2","binary_name":"librsvg2-2"},{"binary_version":"2.52.5+dfsg-3ubuntu0.2","binary_name":"librsvg2-bin"},{"binary_version":"2.52.5+dfsg-3ubuntu0.2","binary_name":"librsvg2-common"},{"binary_version":"2.52.5+dfsg-3ubuntu0.2","binary_name":"librsvg2-dev"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2023/UBUNTU-CVE-2023-38633.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"type":"Ubuntu","score":"medium"}]}