CVE-2019-1000005
Last modified
CVE-2019-1000005 is a vulnerability of currently unknown severity. mPDF version 7.1.7 and earlier contains a CWE-502: Deserialization of Untrusted Data vulnerability in getImage() method of Image/ImageProcessor class that can result in Arbitry code execution, file write, etc.. This attack appears to be exploitable via attacker must host crafted image on victim server and trigger generation of pdf file with content <img src="phar://path/to/crafted/image">. EPSS estimates a 2.10% chance of exploitation in the next 30 days.
Description
mPDF version 7.1.7 and earlier contains a CWE-502: Deserialization of Untrusted Data vulnerability in getImage() method of Image/ImageProcessor class that can result in Arbitry code execution, file write, etc.. This attack appears to be exploitable via attacker must host crafted image on victim server and trigger generation of pdf file with content <img src="phar://path/to/crafted/image">. This vulnerability appears to have been fixed in 7.1.8.
Metrics
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Mpdf Project | Mpdf | <= 7.1.7 |
References
- https://github.com/mpdf/mpdf/issues/949Exploit, Issue Tracking, Third Party Advisory
- https://github.com/mpdf/mpdf/issues/949Exploit, Issue Tracking, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2019-1000005?
How severe is CVE-2019-1000005?
How do I fix CVE-2019-1000005?
Are you affected by CVE-2019-1000005?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST