SVG Salamander: Server-Side Request Forgery — GLSA 202003-11

A SSRF may allow remote attackers to forge illegitimate requests.

Affected packages

dev-java/svgsalamander on all architectures
Affected versions <= 0.0-r2
Unaffected versions

Background

SVG Salamander is a light weight SVG renderer and animator for Java.

Description

A Server-Side Request Forgery was discovered in SVG Salamander.

Impact

An attacker, by sending a specially crafted SVG file, can conduct SSRF.

Workaround

There is no known workaround at this time.

Resolution

Gentoo has discontinued support for SVG Salamander. We recommend that users unmerge SVG Salamander:

 # emerge --unmerge "dev-java/svgsalamander"
 

References

Release date
March 14, 2020

Latest revision
March 14, 2020: 1

Severity
normal

Exploitable
remote

Bugzilla entries