Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:pypi/cairosvg@2.2.1
Typepypi
Namespace
Namecairosvg
Version2.2.1
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_versionnull
Latest_non_vulnerable_versionnull
Affected_by_vulnerabilities
0
url VCID-4rp7-t37q-kff1
vulnerability_id VCID-4rp7-t37q-kff1
summary CairoSVG is an SVG converter based on Cairo, a 2D graphics library. Prior to version 2.7.0, Cairo can send requests to external hosts when processing SVG files. A malicious actor could send a specially crafted SVG file that allows them to perform a server-side request forgery or denial of service. Version 2.7.0 disables CairoSVG's ability to access other files online by default.
references
0
reference_url https://github.com/Kozea/CairoSVG
reference_id
reference_type
scores
url https://github.com/Kozea/CairoSVG
1
reference_url https://github.com/Kozea/CairoSVG/commit/12d31c653c0254fa9d9853f66b04ea46e7397255
reference_id
reference_type
scores
url https://github.com/Kozea/CairoSVG/commit/12d31c653c0254fa9d9853f66b04ea46e7397255
2
reference_url https://github.com/Kozea/CairoSVG/commit/33007d4af9195e2bfb2ff9af064c4c2d8e4b2b53
reference_id
reference_type
scores
url https://github.com/Kozea/CairoSVG/commit/33007d4af9195e2bfb2ff9af064c4c2d8e4b2b53
3
reference_url https://github.com/Kozea/CairoSVG/releases/tag/2.7.0
reference_id
reference_type
scores
url https://github.com/Kozea/CairoSVG/releases/tag/2.7.0
4
reference_url https://github.com/Kozea/CairoSVG/security/advisories/GHSA-rwmf-w63j-p7gv
reference_id
reference_type
scores
url https://github.com/Kozea/CairoSVG/security/advisories/GHSA-rwmf-w63j-p7gv
5
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/cairosvg/PYSEC-2023-9.yaml
reference_id
reference_type
scores
url https://github.com/pypa/advisory-database/tree/main/vulns/cairosvg/PYSEC-2023-9.yaml
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-27586
reference_id CVE-2023-27586
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2023-27586
7
reference_url https://github.com/advisories/GHSA-rwmf-w63j-p7gv
reference_id GHSA-rwmf-w63j-p7gv
reference_type
scores
url https://github.com/advisories/GHSA-rwmf-w63j-p7gv
fixed_packages
0
url pkg:pypi/cairosvg@2.7.0
purl pkg:pypi/cairosvg@2.7.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/cairosvg@2.7.0
aliases CVE-2023-27586, GHSA-rwmf-w63j-p7gv, PYSEC-2023-9
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-4rp7-t37q-kff1
1
url VCID-kzys-kvs5-wqgv
vulnerability_id VCID-kzys-kvs5-wqgv
summary CairoSVG is a Python (pypi) package. CairoSVG is an SVG converter based on Cairo. In CairoSVG before version 2.5.1, there is a regular expression denial of service (REDoS) vulnerability. When processing SVG files, the python package CairoSVG uses two regular expressions which are vulnerable to Regular Expression Denial of Service (REDoS). If an attacker provides a malicious SVG, it can make cairosvg get stuck processing the file for a very long time. This is fixed in version 2.5.1. See Referenced GitHub advisory for more information.
references
0
reference_url https://github.com/Kozea/CairoSVG/commit/cfc9175e590531d90384aa88845052de53d94bf3
reference_id
reference_type
scores
url https://github.com/Kozea/CairoSVG/commit/cfc9175e590531d90384aa88845052de53d94bf3
1
reference_url https://github.com/Kozea/CairoSVG/releases/tag/2.5.1
reference_id
reference_type
scores
url https://github.com/Kozea/CairoSVG/releases/tag/2.5.1
2
reference_url https://github.com/Kozea/CairoSVG/security/advisories/GHSA-hq37-853p-g5cf
reference_id
reference_type
scores
url https://github.com/Kozea/CairoSVG/security/advisories/GHSA-hq37-853p-g5cf
3
reference_url https://pypi.org/project/CairoSVG/
reference_id
reference_type
scores
url https://pypi.org/project/CairoSVG/
fixed_packages
0
url pkg:pypi/cairosvg@2.5.1
purl pkg:pypi/cairosvg@2.5.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4rp7-t37q-kff1
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/cairosvg@2.5.1
aliases CVE-2021-21236, GHSA-hq37-853p-g5cf, PYSEC-2021-5
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-kzys-kvs5-wqgv
Fixing_vulnerabilities
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:pypi/cairosvg@2.2.1