CVE-2022-46161

2022-12-0619:15:10

CWE-94

[email protected]

web.nvd.nist.gov

pdfmake

javascript

pdf

security

cve-2022-46161

10 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

9.7 High

AI Score

Confidence

High

0.004 Low

EPSS

Percentile

73.7%

JSON

pdfmake is an open source client/server side PDF printing in pure JavaScript. In versions up to and including 0.2.5 pdfmake contains an unsafe evaluation of user controlled input. Users of pdfmake are thus subject to arbitrary code execution in the context of the process running the pdfmake code. There are no known fixes for this issue. Users are advised to restrict access to trusted user input.

Affected configurations

Vulners

NVD

Node

bpampuchpdfmakeRange≤0.2.5

CPENameOperatorVersion
pdfmake_project:pdfmakepdfmake project pdfmakele0.2.5

CPE	Name	Operator	Version
pdfmake_project:pdfmake	pdfmake project pdfmake	le	0.2.5

CNA Affected

[
  {
    "vendor": "bpampuch",
    "product": "pdfmake",
    "versions": [
      {
        "version": "<= 0.2.5",
        "status": "affected"
      }
    ]
  }
]