CVE-2022-39381 Unchecked Return Value to NULL Pointer Dereference in PDFDocumentHandler.cpp

2022-11-0200:00:00

CWE-690

GitHub_M

www.cve.org

cve-2022-39381

unchecked return value

null pointer dereference

pdfdocumenthandler

muhammara

node module

electron

dos

vulnerability

patched

untrusted sources

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.001

Percentile

39.8%

JSON

Muhammara is a node module with c/cpp bindings to modify PDF with js for node or electron (based/replacement on/of galkhana/hummusjs). The package muhammara before 2.6.0; all versions of package hummus are vulnerable to Denial of Service (DoS) when supplied with a maliciously crafted PDF file to be appended to another. This issue has been patched in 2.6.0 for muhammara and not at all for hummus. As a workaround, do not process files from untrusted sources.

CNA Affected

[
  {
    "vendor": "julianhille",
    "product": "MuhammaraJS",
    "versions": [
      {
        "version": "< 2.6.0",
        "status": "affected"
      }
    ]
  }
]