CVE-2021-21236 SUSE CVE security@suse.de SUSE Security Team SUSE CVE-2021-21236 Interim 1 7 2023-09-26T23:39:11Z current 2021-05-30T14:48:02Z 2023-09-26T23:39:11Z cve-database/bin/generate-cvrf-cve.pl 2020-12-27T01:00:00Z CVE-2021-21236 CairoSVG is a Python (pypi) package. CairoSVG is an SVG converter based on Cairo. In CairoSVG before version 2.5.1, there is a regular expression denial of service (REDoS) vulnerability. When processing SVG files, the python package CairoSVG uses two regular expressions which are vulnerable to Regular Expression Denial of Service (REDoS). If an attacker provides a malicious SVG, it can make cairosvg get stuck processing the file for a very long time. This is fixed in version 2.5.1. See Referenced GitHub advisory for more information. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/2GIY4HBHI7WUBHUAMEZKWBMEPOUYNCTU/ E-Mail link for openSUSE-SU-2023:0260-1 https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/74KEOEJKIQ5UHFG7M5KN7X37WT37PVYX/ E-Mail link for openSUSE-SU-2023:0272-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings SUSE Package Hub 15 SP4 SUSE Package Hub 15 SP5 openSUSE Leap 15.4 openSUSE Leap 15.5 openSUSE Tumbleweed python3-CairoSVG-2.5.2-bp154.2.3.1 python3-CairoSVG-2.5.2-bp155.3.3.1 python310-CairoSVG-2.7.1-1.1 python311-CairoSVG-2.7.1-1.1 python39-CairoSVG-2.7.1-1.1 python3-CairoSVG-2.5.2-bp154.2.3.1 as a component of SUSE Package Hub 15 SP4 python3-CairoSVG-2.5.2-bp155.3.3.1 as a component of SUSE Package Hub 15 SP5 python3-CairoSVG-2.5.2-bp154.2.3.1 as a component of openSUSE Leap 15.4 python3-CairoSVG-2.5.2-bp155.3.3.1 as a component of openSUSE Leap 15.5 python310-CairoSVG-2.7.1-1.1 as a component of openSUSE Tumbleweed python311-CairoSVG-2.7.1-1.1 as a component of openSUSE Tumbleweed python39-CairoSVG-2.7.1-1.1 as a component of openSUSE Tumbleweed CairoSVG is a Python (pypi) package. CairoSVG is an SVG converter based on Cairo. In CairoSVG before version 2.5.1, there is a regular expression denial of service (REDoS) vulnerability. When processing SVG files, the python package CairoSVG uses two regular expressions which are vulnerable to Regular Expression Denial of Service (REDoS). If an attacker provides a malicious SVG, it can make cairosvg get stuck processing the file for a very long time. This is fixed in version 2.5.1. See Referenced GitHub advisory for more information. CVE-2021-21236 SUSE Package Hub 15 SP4:python3-CairoSVG-2.5.2-bp154.2.3.1 SUSE Package Hub 15 SP5:python3-CairoSVG-2.5.2-bp155.3.3.1 openSUSE Leap 15.4:python3-CairoSVG-2.5.2-bp154.2.3.1 openSUSE Leap 15.5:python3-CairoSVG-2.5.2-bp155.3.3.1 openSUSE Tumbleweed:python310-CairoSVG-2.7.1-1.1 openSUSE Tumbleweed:python311-CairoSVG-2.7.1-1.1 openSUSE Tumbleweed:python39-CairoSVG-2.7.1-1.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H