Cyber Resilience

CVE-2023-38633

MediumPublic PoC

Published: 22 July 2023

Published
22 July 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.4361 97.6th percentile
Risk Priority 37 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-38633 is a medium-severity Path Traversal (CWE-22) vulnerability in Gnome Librsvg. Its CVSS base score is 5.5 (Medium).

Operationally, ranked in the top 2.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

A directory traversal vulnerability exists in the URL decoder of librsvg before version 2.56.3. The flaw, tracked as CWE-22, allows an attacker to supply a crafted href attribute in an xi:include element, such as ".?../../../../../../../../../../etc/passwd", to read files from the local filesystem outside the intended scope. The issue received a CVSS 3.1 score of 5.5 reflecting local access, low attack complexity, and high impact on confidentiality with no integrity or availability effects.

Local or remote attackers who can supply SVG content processed by the vulnerable library can exploit the flaw to disclose arbitrary files readable by the process. The attack requires no user interaction beyond rendering the malicious SVG and succeeds against any application that uses the affected librsvg version for SVG handling.

Advisories and vendor references indicate that the issue is resolved in librsvg 2.56.3, with distribution packages and upstream updates available through GNOME and downstream vendors such as SUSE. Security practitioners should verify that systems have applied the patched version and review any SVG processing pipelines that rely on librsvg.

The EPSS score has remained near 0.44 with only minimal movement between current and peak values, providing no indication of sharply rising exploitation interest after disclosure.

EU & UK References

Vulnerability details

A directory traversal problem in the URL decoder of librsvg before 2.56.3 could be used by local or remote attackers to disclose files (on the local filesystem outside of the expected area), as demonstrated by href=".?../../../../../../../../../../etc/passwd" in an xi:include element.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

gnome
librsvg
2.42.3 — 2.46.6 · 2.48.0 — 2.48.11 · 2.50.0 — 2.50.8
fedoraproject
fedora
37, 38
debian
debian linux
11.0, 12.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References