SnykCVELIST:CVE-2022-25765

HistorySep 09, 2022 - 5:00 a.m.

CVE-2022-25765 Command Injection

2022-09-0905:00:15

snyk

www.cve.org

pdfkit url sanitization vulnerability

CVSS3

7.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P

AI Score

9.8

Confidence

High

EPSS

0.213

Percentile

96.5%

JSON

The package pdfkit from 0.0.0 are vulnerable to Command Injection where the URL is not properly sanitized.

CNA Affected

[
  {
    "vendor": "n/a",
    "product": "pdfkit",
    "versions": [
      {
        "version": "0.0.0",
        "status": "affected",
        "lessThan": "unspecified",
        "versionType": "custom"
      }
    ]
  }
]

References

packetstormsecurity.com/files/171746/pdfkit-0.8.7.2-Command-Injection.html

github.com/pdfkit/pdfkit/blob/46cdf53ec540da1a1a2e4da979e3e5fe2f92a257/lib/pdfkit/pdfkit.rb%23L55-L58

github.com/pdfkit/pdfkit/blob/master/lib/pdfkit/source.rb%23L44-L50

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/C36GAV3TKM3JXV6UVMLMTTDRCPKSNETQ/

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ESWB6SX7HYWQ54UGBGQOZ7G24O6RAOKD/

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JFB2BFKH5SUGRKXMY6PWRQNGKZML7GDT/

security.snyk.io/vuln/SNYK-RUBY-PDFKIT-2869795

CVSS3

7.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P

AI Score

9.8

Confidence

High

EPSS

0.213

Percentile

96.5%

JSON

Related for CVELIST:CVE-2022-25765