CVE-2021-3838

DomPDF before version 2.0.0 is vulnerable to PHAR deserialization due to a lack of checking on the protocol before passing it into the file_get_contents() function. An attacker who can upload files of any type to the server can pass in the phar:// protocol to unserialize the uploaded file and instantiate arbitrary PHP objects. This can lead to remote code execution, especially when DOMPdf is used with frameworks with documented POP chains like Laravel or vulnerable developer code.

CVSS v3.0 9.8 CRITICAL

9.8^/10

CVSS v3.0 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://huntr.com/bounties/0bdddc12-ff67-4815-ab9f-6011a974f48e	Exploit Issue Tracking Patch Third Party Advisory
https://github.com/dompdf/dompdf/commit/99aeec1efec9213e87098d42eb09439e7ee0bb6a	Patch

Configurations

Configuration 1 (hide)

cpe:2.3:a:dompdf_project:dompdf:*:*:*:*:*:*:*:*

History

19 Nov 2024, 17:11

Type	Values Removed	Values Added
References	~~() https://huntr.com/bounties/0bdddc12-ff67-4815-ab9f-6011a974f48e -~~	() https://huntr.com/bounties/0bdddc12-ff67-4815-ab9f-6011a974f48e - Exploit, Issue Tracking, Patch, Third Party Advisory
References	~~() https://github.com/dompdf/dompdf/commit/99aeec1efec9213e87098d42eb09439e7ee0bb6a -~~	() https://github.com/dompdf/dompdf/commit/99aeec1efec9213e87098d42eb09439e7ee0bb6a - Patch
CPE		cpe:2.3:a:dompdf_project:dompdf::::::::
First Time		Dompdf Project dompdf Dompdf Project
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.8

15 Nov 2024, 11:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-11-15 11:15

Updated : 2024-11-19 17:11

NVD link : CVE-2021-3838

Mitre link : CVE-2021-3838

JSON object : View

Products Affected

dompdf_project

dompdf

CWE

CWE-502

Deserialization of Untrusted Data

9.8 /10