CVE-2021-3838

Description

DomPDF before version 2.0.0 is vulnerable to PHAR deserialization due to a lack of checking on the protocol before passing it into the file_get_contents() function. An attacker who can upload files of any type to the server can pass in the phar:// protocol to unserialize the uploaded file and instantiate arbitrary PHP objects. This can lead to remote code execution, especially when DOMPdf is used with frameworks with documented POP chains like Laravel or vulnerable developer code.

How to fix CVE-2021-3838

To remediate CVE-2021-3838, upgrade the affected package to a fixed version below.

• —upgrade to 0.6.2+dfsg-3.1+deb11u1 or later
• —upgrade to 0.6.2+dfsg-3+deb10u1 or later
• —upgrade to 0.6.2+dfsg-3+deb10u2 or later
• —upgrade to 0.6.2+dfsg-3.1+deb11u1 or later
• —upgrade to 2.0.0 or later

Is CVE-2021-3838 being exploited?

Moderate — EPSS is 6.9%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (5)

• from 0, < 0.6.2+dfsg-3.1+deb11u1
• from 0, < 0.6.2+dfsg-3+deb10u1
• from 0, < 0.6.2+dfsg-3+deb10u2
• from 0, < 0.6.2+dfsg-3.1+deb11u1
• from 0, < 2.0.0

CVSS scores

References (5)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-3838
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2021-3838
• PATCHgithub.com/dompdf/dompdf
• WEBgithub.com/dompdf/dompdf/commit/99aeec1efec9213e87098d42eb09439e7ee0bb6a
• WEB