Resource exhaustion in Gnome Librsvg
CVE-2019-20446
In xml.rs in GNOME librsvg before 2.46.2, a crafted SVG file with nested patterns can cause denial of service when passed to the library for processing. The attacker constructs pattern elements so that the number of final rendered objects…
Vulnerability class: DoS (Denial of Service)
EPSS: 0.021 (79.6th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 6.5 (Medium). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H.
Affected products
- Gnome Librsvg
- Netapp Active_iq_unified_manager
- Canonical Ubuntu_linux — versions 16.04, 18.04
- Debian Debian_linux — versions 9.0
- Fedoraproject Fedora — versions 30, 31
- Opensuse Leap — versions 15.1
- N/a — versions n/a
Weakness classification (CWE)
Public proof-of-concept exploits
References
- cve@mitre.org (Vendor Advisory)
- cve@mitre.org (vendor-advisory, Mailing List, Third Party Advisory)
- cve@mitre.org (vendor-advisory)
- cve@mitre.org (vendor-advisory)
- cve@mitre.org (mailing-list, Mailing List, Third Party Advisory)
- cve@mitre.org (vendor-advisory, Third Party Advisory)
- cve@mitre.org (Third Party Advisory)
Frequently asked questions
- What is CVE-2019-20446?
- CVE-2019-20446 is a medium-severity vulnerability in Gnome Librsvg, classified under Uncontrolled Resource Consumption. CVSS score: 6.5/10. Published 2020-02-02.
- How severe is CVE-2019-20446?
- Medium severity. CVSS v3 base score is 6.5 out of 10.
- Is CVE-2019-20446 known to be exploited?
- 1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.