SUSE update for librsvg
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2023-38633 |
| CWE-ID | CWE-22 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
openSUSE Leap Micro Operating systems & Components / Operating system Desktop Applications Module Operating systems & Components / Operating system SUSE Package Hub 15 Operating systems & Components / Operating system Basesystem Module Operating systems & Components / Operating system SUSE Linux Enterprise Micro for Rancher Operating systems & Components / Operating system SUSE Linux Enterprise Server for SAP Applications 15 Operating systems & Components / Operating system SUSE Linux Enterprise Server 15 Operating systems & Components / Operating system SUSE Linux Enterprise Real Time 15 Operating systems & Components / Operating system SUSE Linux Enterprise High Performance Computing 15 Operating systems & Components / Operating system SUSE Linux Enterprise Desktop 15 Operating systems & Components / Operating system SUSE Linux Enterprise Micro Operating systems & Components / Operating system openSUSE Leap Operating systems & Components / Operating system SUSE Manager Retail Branch Server Operating systems & Components / Operating system SUSE Manager Server Operating systems & Components / Operating system SUSE Manager Proxy Operating systems & Components / Operating system librsvg-2-2-64bit-debuginfo Operating systems & Components / Operating system package or component librsvg-2-2-64bit Operating systems & Components / Operating system package or component gdk-pixbuf-loader-rsvg-64bit-debuginfo Operating systems & Components / Operating system package or component gdk-pixbuf-loader-rsvg-64bit Operating systems & Components / Operating system package or component rsvg-thumbnailer Operating systems & Components / Operating system package or component gdk-pixbuf-loader-rsvg-32bit-debuginfo Operating systems & Components / Operating system package or component gdk-pixbuf-loader-rsvg-32bit Operating systems & Components / Operating system package or component librsvg-2-2-32bit Operating systems & Components / Operating system package or component librsvg-2-2-32bit-debuginfo Operating systems & Components / Operating system package or component typelib-1_0-Rsvg-2_0 Operating systems & Components / Operating system package or component gdk-pixbuf-loader-rsvg-debuginfo Operating systems & Components / Operating system package or component librsvg-2-2-debuginfo Operating systems & Components / Operating system package or component librsvg-2-2 Operating systems & Components / Operating system package or component rsvg-convert Operating systems & Components / Operating system package or component librsvg-devel Operating systems & Components / Operating system package or component rsvg-convert-debuginfo Operating systems & Components / Operating system package or component librsvg-debugsource Operating systems & Components / Operating system package or component gdk-pixbuf-loader-rsvg Operating systems & Components / Operating system package or component |
| Vendor | SUSE |
Security Bulletin
This security bulletin contains one medium risk vulnerability.
1) Path traversal
EUVDB-ID: #VU78756
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2023-38633
CWE-ID:
CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences in the URL decoder. A remote attacker can pass specially crafted URL to the library and read arbitrary files on the system.
MitigationUpdate the affected package librsvg to the latest version.
Vulnerable software versionsopenSUSE Leap Micro: 5.3 - 5.4
Desktop Applications Module: 15-SP4 - 15-SP5
SUSE Package Hub 15: 15-SP5
Basesystem Module: 15-SP4 - 15-SP5
SUSE Linux Enterprise Micro for Rancher: 5.3 - 5.4
SUSE Linux Enterprise Server for SAP Applications 15: SP4 - SP5
SUSE Linux Enterprise Server 15: SP4 - SP5
SUSE Linux Enterprise Real Time 15: SP4 - SP5
SUSE Linux Enterprise High Performance Computing 15: SP4 - SP5
SUSE Linux Enterprise Desktop 15: SP4 - SP5
SUSE Linux Enterprise Micro: 5.3 - 5.4
openSUSE Leap: 15.4 - 15.5
SUSE Manager Retail Branch Server: 4.3
SUSE Manager Server: 4.3
SUSE Manager Proxy: 4.3
librsvg-2-2-64bit-debuginfo: before 2.52.10-150400.3.6.1
librsvg-2-2-64bit: before 2.52.10-150400.3.6.1
gdk-pixbuf-loader-rsvg-64bit-debuginfo: before 2.52.10-150400.3.6.1
gdk-pixbuf-loader-rsvg-64bit: before 2.52.10-150400.3.6.1
rsvg-thumbnailer: before 2.52.10-150400.3.6.1
gdk-pixbuf-loader-rsvg-32bit-debuginfo: before 2.52.10-150400.3.6.1
gdk-pixbuf-loader-rsvg-32bit: before 2.52.10-150400.3.6.1
librsvg-2-2-32bit: before 2.52.10-150400.3.6.1
librsvg-2-2-32bit-debuginfo: before 2.52.10-150400.3.6.1
typelib-1_0-Rsvg-2_0: before 2.52.10-150400.3.6.1
gdk-pixbuf-loader-rsvg-debuginfo: before 2.52.10-150400.3.6.1
librsvg-2-2-debuginfo: before 2.52.10-150400.3.6.1
librsvg-2-2: before 2.52.10-150400.3.6.1
rsvg-convert: before 2.52.10-150400.3.6.1
librsvg-devel: before 2.52.10-150400.3.6.1
rsvg-convert-debuginfo: before 2.52.10-150400.3.6.1
librsvg-debugsource: before 2.52.10-150400.3.6.1
gdk-pixbuf-loader-rsvg: before 2.52.10-150400.3.6.1
CPE2.3- cpe:2.3:o:suse:opensuse_leap_micro:5.3:*:*:*:*:*:*:*
- cpe:2.3:o:suse:opensuse_leap_micro:5.4:*:*:*:*:*:*:*
- cpe:2.3:o:suse:desktop_applications_module:15-SP4:*:*:*:*:*:*:*
- cpe:2.3:o:suse:desktop_applications_module:15-SP5:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_package_hub_15:15-SP5:*:*:*:*:*:*:*
- cpe:2.3:o:suse:basesystem_module:15-SP4:*:*:*:*:*:*:*
- cpe:2.3:o:suse:basesystem_module:15-SP5:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_micro_for_rancher:5.3:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_micro_for_rancher:5.4:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap_applications_15:SP4:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_server_15:SP4:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_real_time_15:SP4:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_high_performance_computing_15:SP4:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_desktop_15:SP4:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_micro:5.3:*:*:*:*:*:*:*
- cpe:2.3:o:suse:opensuse_leap:15.4:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_manager_retail_branch_server:4.3:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_manager_server:4.3:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_manager_proxy:4.3:*:*:*:*:*:*:*
- cpe:2.3:a:suse:librsvg-2-2-64bit-debuginfo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:librsvg-2-2-64bit:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:gdk-pixbuf-loader-rsvg-64bit-debuginfo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:gdk-pixbuf-loader-rsvg-64bit:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:rsvg-thumbnailer:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:gdk-pixbuf-loader-rsvg-32bit-debuginfo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:gdk-pixbuf-loader-rsvg-32bit:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:librsvg-2-2-32bit:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:librsvg-2-2-32bit-debuginfo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:typelib-1_0-rsvg-2_0:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:gdk-pixbuf-loader-rsvg-debuginfo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:librsvg-2-2-debuginfo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:librsvg-2-2:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:rsvg-convert:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:librsvg-devel:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:rsvg-convert-debuginfo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:librsvg-debugsource:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:gdk-pixbuf-loader-rsvg:*:*:*:*:*:suse_linux:*:*
https://www.suse.com/support/update/announcement/2023/suse-su-20233021-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
