{"id":"USN-6277-2","summary":"php-dompdf vulnerabilities","details":"USN-6277-1 fixed vulnerabilities in Dompdf. This update provides the\ncorresponding updates for Ubuntu 22.04 LTS.\n\nOriginal advisory details:\n\n It was discovered that Dompdf was not properly validating untrusted input when\n processing HTML content under certain circumstances. An attacker could\n possibly use this issue to expose sensitive information or execute arbitrary\n code. This issue only affected Ubuntu 16.04 LTS.\n (CVE-2014-5011, CVE-2014-5012, CVE-2014-5013)\n \n It was discovered that Dompdf was not properly validating processed HTML\n content that referenced PHAR files, which could result in the deserialization\n of untrusted data. An attacker could possibly use this issue to execute\n arbitrary code. (CVE-2021-3838)\n \n It was discovered that Dompdf was not properly validating processed HTML\n content that referenced both a remote base and a local file, which could\n result in the bypass of a chroot check. An attacker could possibly use this\n issue to expose sensitive information. (CVE-2022-2400)\n","modified":"2026-02-10T04:43:14Z","published":"2023-08-10T18:31:51Z","related":["UBUNTU-CVE-2021-3838","UBUNTU-CVE-2022-2400"],"upstream":["CVE-2021-3838","CVE-2022-2400","UBUNTU-CVE-2021-3838","UBUNTU-CVE-2022-2400"],"references":[{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-6277-2"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2021-3838"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2022-2400"}],"affected":[{"package":{"name":"php-dompdf","ecosystem":"Ubuntu:22.04:LTS","purl":"pkg:deb/ubuntu/php-dompdf@0.6.2+dfsg-3.1ubuntu0.1?arch=source&distro=jammy"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.6.2+dfsg-3.1ubuntu0.1"}]}],"versions":["0.6.2+dfsg-3.1"],"ecosystem_specific":{"binaries":[{"binary_version":"0.6.2+dfsg-3.1ubuntu0.1","binary_name":"php-dompdf"}],"availability":"No subscription required"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-6277-2.json","cves_map":{"cves":[{"id":"CVE-2021-3838","severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","type":"CVSS_V3"},{"score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","type":"CVSS_V3"},{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]},{"id":"CVE-2022-2400","severity":[{"score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","type":"CVSS_V3"},{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]}],"ecosystem":"Ubuntu:22.04:LTS"}}}],"schema_version":"1.7.3"}