id	summary	reporter	owner	description	type	status	priority	milestone	component	version	resolution	keywords	cc
14319	CVE-2017-5617: svgSalamander SSRF (Server-Side Request Forgery)	sebastic	team	"svgSalamaner is vulnerable to a Server-Side Request Forgery issue discovered by Luc Lynx,
initially reported on the oss-security list ([http://www.openwall.com/lists/oss-security/2017/01/27/3 1]) and also in the svgSalamander !GitHub repository ([https://github.com/blackears/svgSalamander/issues/11 2]):
> If the library is being used in a web application for processing user supplied SVG files then the app is vulnerable to SSRF.
> 
> The attacker can send a specially crafted svg file, for example
> {{{
> #!xml
> <svg width=""5cm"" height=""4cm"" version=""1.1""
>      xmlns=""http://www.w3.org/2000/svg"" xmlns:xlink= ""http://www.w3.org/1999/xlink"">
> 	<image xlink:href=""https://host-in-the-trusted-network.com/test.jpg"" x=""0"" y=""0"" height=""50px"" width=""50px""/>
> </svg>
> }}}
> and the lib will send the request inside the trusted network to the host-in-the-trusted-network.com (bypassing the firewall). In general, the attacker can use any scheme supported by default (such as file://, jar:// etc) or use application specific scheme.
> 
> How to fix - any schemes apart from data in the xlink:href attribute should be disallowed by default at
> https://github.com/blackears/svgSalamander/blob/master/svg-core/src/main/java/com/kitfox/svg/ImageSVG.java#L120
> 
> Additional information:
> https://cwe.mitre.org/data/definitions/918.html
> http://www.slideshare.net/d0znpp/ssrf-attacks-and-sockets-smorgasbord-of-vulnerabilities

See also: [https://bugs.debian.org/853134 Debian Bug #853134]"	defect	closed	major	17.02	Core		fixed	svgsalamander cve ssrf	sebastic