Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

com.caverock:androidsvg@1.2.1 XXE injection #2507

Closed
deadjdona opened this issue Jun 5, 2020 · 2 comments
Closed

com.caverock:androidsvg@1.2.1 XXE injection #2507

deadjdona opened this issue Jun 5, 2020 · 2 comments
Assignees
@oprisnik
Labels
bug

Comments

@deadjdona
Copy link

Description

XML External Entity (XXE) Injection
Vulnerable module: com.caverock:androidsvg
Introduced through: com.caverock:androidsvg@1.2.1
Exploit maturity: No known exploit
Fixed in: 1.3.0
Detailed paths and remediation
Introduced through: project@0.0.0 › com.caverock:androidsvg@1.2.1

Reproduction

Solution

Remediation: Upgrade to com.caverock:androidsvg@1.3

Additional Information

  • Fresco version: latest
  • Platform version: android

Overview

com.caverock.androidsvg is a SVG parser and renderer for Android.
Affected versions of this package are vulnerable to XML External Entity (XXE) Injection via the SVG parsing component
@oprisnik oprisnik self-assigned this Jun 10, 2020
@oprisnik
Copy link
Contributor

Thanks for the report. It's only used in our sample app and not in Fresco itself. I'll update the lib shortly.

@oprisnik oprisnik added the bug label Jun 10, 2020
@oprisnik
Copy link
Contributor

Fixed with 3a92142

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@oprisnik oprisnik

Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@oprisnik @deadjdona