CVE-2023-45139 — fonttools XML External Entity Injection (XXE) Vulnerability

Description

fontTools is a library for manipulating fonts, written in Python. The subsetting module has a XML External Entity Injection (XXE) vulnerability which allows an attacker to resolve arbitrary entities when a candidate font (OT-SVG fonts), which contains a SVG table, is parsed. This allows attackers to include arbitrary files from the filesystem fontTools is running on or make web requests from the host system. This vulnerability has been patched in version 4.43.0.

How to fix CVE-2023-45139

To remediate CVE-2023-45139, upgrade the affected package to a fixed version below.

—upgrade to 4.38.0-1+deb12u1 or later
—upgrade to 4.43.0 or later

Is CVE-2023-45139 being exploited?

Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 4.38.0-1+deb12u1
>= 4.28.2, < 4.43.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References (9)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-45139
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2023-45139
PATCHgithub.com/fonttools/fonttools
WEBgithub.com/fonttools/fonttools/commit/9f61271dc1ca82ed91f529b130fe5dc5c9bf1f4c