CIVI-SA-2023-06: Dompdf 2.0.3

Veröffentlicht

2023-02-15 12:00

Written by

dev-team

The "dompdf" library has a vulnerability which allows remote code execution. It may be exploited by some backend users.

Security Risk

Critical

Vulnerability

Arbitrary PHP Code Execution

Affected Versions

CiviCRM version 5.58.0 (and earlier), 5.57.3 (and earlier)

Fixed Versions

CiviCRM version 5.58.1, 5.57.4 (ESR)

Publication Date

2023-02-15 - 12:00

Solutions

Upgrade to the fixed version of CiviCRM

Alternatively, if you cannot upgrade CiviCRM, you MAY be able to manually upgrade dompdf (on Drupal 8/9). In your site-root, download the secure version:

composer require 'dompdf/dompdf:~2.0.3'

NOTE: This is useful as a short-term override. In the future, when you have a chance to update CiviCRM, you will need to edit composer.json and remove this override.

Credits

@Ry0taK, @Blaklis, @bsweeney

References

https://github.com/advisories/GHSA-3cw5-7cxw-v5qg
https://github.com/advisories/GHSA-56gj-mvh6-rp75

CVE

CVE-2023-24813

CIVI-SA-2023-06: Dompdf 2.0.3

WORK WITH A TRUSTED EXPERT
TO SETUP YOUR CIVICRM

Languages

CIVI-SA-2023-06: Dompdf 2.0.3

WORK WITH A TRUSTED EXPERT TO SETUP YOUR CIVICRM

WORK WITH A TRUSTED EXPERT
TO SETUP YOUR CIVICRM