Opened 7 years ago

Closed 7 years ago

Last modified 4 years ago

#14319 closed defect (fixed)

CVE-2017-5617: svgSalamander SSRF (Server-Side Request Forgery)

Reported by: sebastic Owned by: team
Priority: major Milestone: 17.02
Component: Core Version:
Keywords: svgsalamander cve ssrf Cc: sebastic

Description (last modified by Don-vip)

svgSalamaner is vulnerable to a Server-Side Request Forgery issue discovered by Luc Lynx,
initially reported on the oss-security list (1) and also in the svgSalamander GitHub repository (2):

If the library is being used in a web application for processing user supplied SVG files then the app is vulnerable to SSRF.

The attacker can send a specially crafted svg file, for example

<svg width="5cm" height="4cm" version="1.1"
     xmlns="" xmlns:xlink= "">
        <image xlink:href="" x="0" y="0" height="50px" width="50px"/>

and the lib will send the request inside the trusted network to the (bypassing the firewall). In general, the attacker can use any scheme supported by default (such as file://, jar:// etc) or use application specific scheme.

How to fix - any schemes apart from data in the xlink:href attribute should be disallowed by default at

Additional information:

See also: Debian Bug #853134

Attachments (0)

Change History (14)

comment:1 by Don-vip, 7 years ago

Description: modified (diff)

comment:2 by Don-vip, 7 years ago

Thanks for the report, I was following this since it popped on Github. Sadly 5 days and stil no answer from library author so I'm going to fix this myself.

comment:3 by Don-vip, 7 years ago

In 11525/josm:

see #14319 - update to latest version of svgSalamander (2017-01-07, patched)

comment:4 by Don-vip, 7 years ago

Resolution: fixed
Status: newclosed

In 11526/josm:

fix #14319 - CVE-2017-5617: svgSalamander SSRF (Server-Side Request Forgery)

comment:5 by Don-vip, 7 years ago

Tomorrow morning if all tests are OK I will probably promote the latest release as new stable version (17.01 hotfix).

comment:6 by anonymous, 7 years ago

Thanks for the fixes. I've included your changes in the svgsalamander Debian package.

Due to leaving for FOSDEM tomorrow, I'm unlikely to have time to package the 17.01 hotfix until after FOSDEM.

comment:7 by Don-vip, 7 years ago

Done: r11526 is the new hotfix

comment:8 by Don-vip, 6 years ago

Library author fixed it differently.

When we update svgSalamander we must use SVGUniverse.setImageDataInlineOnly(true)

comment:9 by Don-vip, 6 years ago

In 14328/josm:

see #14319, see #16838 - update to svgSalamander 1.1.2

comment:10 by Don-vip, 6 years ago

In 14331/josm:

see #14319, see #16838 - fix regressions introduced in svgSalamander 1.1.2


comment:11 by Don-vip, 6 years ago

Ah, the upstream fix is not correct! so svgSalamander 1.1.2 is still vulnerable.

comment:12 by Don-vip, 6 years ago

In 14334/josm:

see #14319, see #16838 - svgSalamander fix for CVE-2017-5617 was incomplete


comment:13 by Don-vip, 5 years ago

In 14361/josm:

see #14319, see #16838 - fix another NPE / regression from svgSalamander 1.1.2 (causing unit test failure in DXF plugin)


comment:14 by simon04, 4 years ago

Keywords: svgsalamander cve ssrf added

Modify Ticket

Change Properties
Set your email in Preferences
as closed The owner will remain team.
as The resolution will be set.
The resolution will be deleted. Next status will be 'reopened'.

Add Comment

E-mail address and name can be saved in the Preferences .
Note: See TracTickets for help on using tickets.