CVE-2022-39381

2022-11-0215:15:10

CWE-690

CWE-476

[email protected]

web.nvd.nist.gov

muhammara

hummus

pdf

vulnerability

denial of service

malicious

workaround

CVSS3

5.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

EPSS

0.001

Percentile

39.8%

JSON

Muhammara is a node module with c/cpp bindings to modify PDF with js for node or electron (based/replacement on/of galkhana/hummusjs). The package muhammara before 2.6.0; all versions of package hummus are vulnerable to Denial of Service (DoS) when supplied with a maliciously crafted PDF file to be appended to another. This issue has been patched in 2.6.0 for muhammara and not at all for hummus. As a workaround, do not process files from untrusted sources.

Affected configurations

Nvd

Node

muhammarajs_projectmuhammarajsRange≤2.6.0node.js

pdfhummushummusjsRange<1.0.111node.js

VendorProductVersionCPE
muhammarajs_projectmuhammarajs*cpe:2.3:a:muhammarajs_project:muhammarajs:*:*:*:*:*:node.js:*:*
pdfhummushummusjs*cpe:2.3:a:pdfhummus:hummusjs:*:*:*:*:*:node.js:*:*

Vendor	Product	Version	CPE
muhammarajs_project	muhammarajs	*	cpe:2.3:a:muhammarajs_project:muhammarajs::::::node.js::*
pdfhummus	hummusjs	*	cpe:2.3:a:pdfhummus:hummusjs::::::node.js::*