CVE-2019-20446
6.5
MEDIUM
CVSS 3.1
EPSS 1.3%
Description
In xml.rs in GNOME librsvg before 2.46.2, a crafted SVG file with nested patterns can cause denial of service when passed to the library for processing. The attacker constructs pattern elements so that the number of final rendered objects grows exponentially.
How to fix CVE-2019-20446
To remediate CVE-2019-20446, upgrade the affected package to a fixed version below.
- Alpine/librsvg—upgrade to 2.40.21-r0 or later
- —upgrade to 2.46.4-1 or later
Is CVE-2019-20446 being exploited?
Low — EPSS is 1.3%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0, < 2.40.21-r0
- from 0, < 2.46.4-1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H |