Pdoc Python Library <= 14.5.1 (CVE-2024-38526)

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(212710);
  script_version("1.5");
  script_set_attribute(attribute:"plugin_modification_date", value:"2025/11/10");

  script_cve_id("CVE-2024-38526");

  script_name(english:"Pdoc Python Library <= 14.5.1 (CVE-2024-38526)");

  script_set_attribute(attribute:"synopsis", value:
"A Python library installed on the remote host is affected by a vulnerability.");
  script_set_attribute(attribute:"description", value:
"pdoc provides API Documentation for Python Projects. Documentation generated with `pdoc --math` linked to JavaScript
files from polyfill.io. The polyfill.io CDN has been sold and now serves malicious code. This issue has been 
fixed in pdoc 14.5.1.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  # https://www.vicarius.io/vsociety/posts/polyfillio-in-pdoc-cve-2024-38526
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?d347c803");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Pdoc version 14.5.1 or later.");
  script_set_attribute(attribute:"agent", value:"all");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2024-38526");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2024/06/25");
  script_set_attribute(attribute:"patch_publication_date", value:"2024/06/25");
  script_set_attribute(attribute:"plugin_publication_date", value:"2024/12/12");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"asset_categories", value:"component");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:pdoc:pdoc");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2024-2025 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("python_packages_installed_nix.nbin", "python_packages_win_installed.nbin");
  script_require_ports("Host/nix/Python/Packages/Enumerated", "Host/win/Python/Packages/Enumerated");

  exit(0);
}


include('python.inc');

var pkg = 'pdoc';

var cpe = 'cpe:/a:pdoc:pdoc';
var libs = python::get_package_info(pkg_name:pkg, cpe:cpe);

if (empty_or_null(libs))
  audit(AUDIT_NOT_INST, pkg);

vcf::check_all_backporting(app_info:libs);

var constraints = [
  { 'fixed_version' : '14.5.1' },
];

vcf::check_version_and_report(app_info:libs, constraints:constraints, severity:SECURITY_WARNING);