GitHub Advisory DatabaseGHSA-RHWX-HJX2-X4QRPDFKit vulnerable to Command Injection
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.191 Low
EPSS
Percentile
96.3%
The package pdfkit is vulnerable to Command Injection where the URL is not properly sanitized.
Note: This issue was patched in 0.8.7.2, but the patch was discovered to be ineffective. The updated patch version is 0.8.7.2.
Affected configurations
References
packetstormsecurity.com/files/171746/pdfkit-0.8.7.2-Command-Injection.html
github.com/advisories/GHSA-rhwx-hjx2-x4qr
github.com/pdfkit/pdfkit/blob/46cdf53ec540da1a1a2e4da979e3e5fe2f92a257/lib/pdfkit/pdfkit.rb#L55-L58
github.com/pdfkit/pdfkit/blob/46cdf53ec540da1a1a2e4da979e3e5fe2f92a257/lib/pdfkit/pdfkit.rb%23L55-L58
github.com/pdfkit/pdfkit/blob/master/lib/pdfkit/source.rb%23L44-L50
github.com/pdfkit/pdfkit/issues/517
github.com/pdfkit/pdfkit/pull/519
github.com/pdfkit/pdfkit/releases/tag/v0.8.7
github.com/rubysec/ruby-advisory-db/blob/master/gems/pdfkit/CVE-2022-25765.yml
lists.fedoraproject.org/archives/list/[email protected]/message/C36GAV3TKM3JXV6UVMLMTTDRCPKSNETQ/
lists.fedoraproject.org/archives/list/[email protected]/message/ESWB6SX7HYWQ54UGBGQOZ7G24O6RAOKD/
lists.fedoraproject.org/archives/list/[email protected]/message/JFB2BFKH5SUGRKXMY6PWRQNGKZML7GDT/
nvd.nist.gov/vuln/detail/CVE-2022-25765
security.snyk.io/vuln/SNYK-RUBY-PDFKIT-2869795
Related
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.191 Low
EPSS
Percentile
96.3%