Vulnerabilities > Gnome > Librsvg

DATE CVE VULNERABILITY TITLE RISK
2023-07-22 CVE-2023-38633 Path Traversal vulnerability in multiple products
A directory traversal problem in the URL decoder of librsvg before 2.56.3 could be used by local or remote attackers to disclose files (on the local filesystem outside of the expected area), as demonstrated by href=".?../../../../../../../../../../etc/passwd" in an xi:include element.
local
low complexity
gnome fedoraproject debian CWE-22
5.5
2020-02-02 CVE-2019-20446 Resource Exhaustion vulnerability in multiple products
In xml.rs in GNOME librsvg before 2.46.2, a crafted SVG file with nested patterns can cause denial of service when passed to the library for processing.
6.5
2018-02-09 CVE-2018-1000041 GNOME librsvg version before commit c6ddf2ed4d768fd88adbea2b63f575cd523022ea contains a Improper input validation vulnerability in rsvg-io.c that can result in the victim's Windows username and NTLM password hash being leaked to remote attackers through SMB.
network
gnome debian
4.3
2017-07-19 CVE-2017-11464 Divide By Zero vulnerability in Gnome Librsvg 2.40.17
A SIGFPE is raised in the function box_blur_line of rsvg-filter.c in GNOME librsvg 2.40.17 during an attempted parse of a crafted SVG file, because of incorrect protection against division by zero.
network
gnome CWE-369
6.8
2017-02-03 CVE-2016-6163 Out-of-bounds Read vulnerability in Gnome Librsvg 2.40.2
The rsvg_pattern_fix_fallback function in rsvg-paint_server.c in librsvg2 2.40.2 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted svg file.
network
gnome CWE-125
4.3
2016-05-20 CVE-2016-4348 Improper Input Validation vulnerability in multiple products
The _rsvg_css_normalize_font_size function in librsvg 2.40.2 allows context-dependent attackers to cause a denial of service (stack consumption and application crash) via circular definitions in an SVG document.
network
low complexity
gnome debian opensuse CWE-20
5.0
2016-05-20 CVE-2015-7558 Improper Input Validation vulnerability in multiple products
librsvg before 2.40.12 allows context-dependent attackers to cause a denial of service (infinite loop, stack consumption, and application crash) via cyclic references in an SVG document.
network
low complexity
debian gnome CWE-20
5.0
2016-05-20 CVE-2015-7557 Improper Input Validation vulnerability in Gnome Librsvg
The _rsvg_node_poly_build_path function in rsvg-shapes.c in librsvg before 2.40.7 allows context-dependent attackers to cause a denial of service (out-of-bounds heap read) via an odd number of elements in a coordinate pair in an SVG document.
network
low complexity
gnome CWE-20
5.0
2013-10-10 CVE-2013-1881 Improper Input Validation vulnerability in Gnome Librsvg
GNOME libsvg before 2.39.0 allows remote attackers to read arbitrary files via an XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
network
gnome CWE-20
4.3
2012-09-05 CVE-2011-3146 Unspecified vulnerability in Gnome Librsvg
librsvg before 2.34.1 uses the node name to identify the type of node, which allows context-dependent attackers to cause a denial of service (NULL pointer dereference) and possibly execute arbitrary code via a SVG file with a node with the element name starting with "fe," which is misidentified as a RsvgFilterPrimitive.
network
gnome
6.8