CVE-2024-34342

2024-05-0715:15:09

CWE-79

GitHub_M

web.nvd.nist.gov

cve-2024-34342

pdf.js

malicious pdf

javascript execution

hosting domain

CVSS3

7.1

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

LOW

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L

AI Score

6.3

Confidence

Low

EPSS

Percentile

10.3%

JSON

react-pdf displays PDFs in React apps. If PDF.js is used to load a malicious PDF, and PDF.js is configured with isEvalSupported set to true (which is the default value), unrestricted attacker-controlled JavaScript will be executed in the context of the hosting domain. This vulnerability is fixed in 7.7.3 and 8.0.2.

Affected configurations

Vulners

Vulnrichment

Node

wojtekmajreact_pdfRange<7.7.3

wojtekmajreact_pdfRange8.0.0–8.0.2

VendorProductVersionCPE
wojtekmajreact_pdf*cpe:2.3:a:wojtekmaj:react_pdf:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
wojtekmaj	react_pdf	*	cpe:2.3:a:wojtekmaj:react_pdf::::::::

CNA Affected

[
  {
    "vendor": "wojtekmaj",
    "product": "react-pdf",
    "versions": [
      {
        "version": "< 7.7.3",
        "status": "affected"
      },
      {
        "version": ">= 8.0.0, < 8.0.2",
        "status": "affected"
      }
    ]
  }
]