CVE-2022-46161

Code injection in pdfmake

CVSS 10 CRITICALEPSS 1.6%CWE-94

Vexday Risk Score

28Bajo

Decisión SSVC (CISA)

Track

Sin señal de explotación → monitorear

CVSS 10EPSS 1.6%KEV nãoPoC —Nuclei —Metasploit —Patch —

Ciclo de vida

06 dic 2022Publicada en NVD

Recomendación: Monitorear — sin señal de explotación por ahora.

pdfmake is an open source client/server side PDF printing in pure JavaScript. In versions up to and including 0.2.5 pdfmake contains an unsafe evaluation of user controlled input. Users of pdfmake are thus subject to arbitrary code execution in the context of the process running the pdfmake code. There are no known fixes for this issue. Users are advised to restrict access to trusted user input.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Productos afectados

bpampuch · pdfmake

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →

Referencias

https://github.com/bpampuch/pdfmake/blob/802813970ac6de68a0bd0931b74150b33da0dd18/dev-playground/server.js#L32 https://securitylab.github.com/advisories/GHSL-2022-068_pdfmake/