GoogleOSV:GHSA-RHWX-HJX2-X4QRPDFKit vulnerable to Command Injection
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.191 Low
EPSS
Percentile
96.3%
The package pdfkit is vulnerable to Command Injection where the URL is not properly sanitized.
Note: This issue was patched in 0.8.7.2, but the patch was discovered to be ineffective. The updated patch version is 0.8.7.2.
References
packetstormsecurity.com/files/171746/pdfkit-0.8.7.2-Command-Injection.html
github.com/pdfkit/pdfkit
github.com/pdfkit/pdfkit/blob/46cdf53ec540da1a1a2e4da979e3e5fe2f92a257/lib/pdfkit/pdfkit.rb#L55-L58
github.com/pdfkit/pdfkit/blob/46cdf53ec540da1a1a2e4da979e3e5fe2f92a257/lib/pdfkit/pdfkit.rb%23L55-L58
github.com/pdfkit/pdfkit/blob/master/lib/pdfkit/source.rb%23L44-L50
github.com/pdfkit/pdfkit/issues/517
github.com/pdfkit/pdfkit/pull/519
github.com/pdfkit/pdfkit/releases/tag/v0.8.7
github.com/rubysec/ruby-advisory-db/blob/master/gems/pdfkit/CVE-2022-25765.yml
lists.fedoraproject.org/archives/list/[email protected]/message/C36GAV3TKM3JXV6UVMLMTTDRCPKSNETQ
lists.fedoraproject.org/archives/list/[email protected]/message/ESWB6SX7HYWQ54UGBGQOZ7G24O6RAOKD
lists.fedoraproject.org/archives/list/[email protected]/message/JFB2BFKH5SUGRKXMY6PWRQNGKZML7GDT
nvd.nist.gov/vuln/detail/CVE-2022-25765
security.snyk.io/vuln/SNYK-RUBY-PDFKIT-2869795
Related
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.191 Low
EPSS
Percentile
96.3%