CVE-2024-38526 pdoc embeds link to malicious CDN if math mode is enabled

2024-06-2523:53:54

CWE-1395

GitHub_M

www.cve.org

pdoc

api documentation

python projects

javascript files

polyfill.io

cdn

malicious code

cve-2024-38526

fixed

CVSS3

7.2

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L/E:H/RL:O/RC:C/MC:N/MI:N/MA:N

EPSS

0.001

Percentile

29.0%

JSON

pdoc provides API Documentation for Python Projects. Documentation generated with pdoc --math linked to JavaScript files from polyfill.io. The polyfill.io CDN has been sold and now serves malicious code. This issue has been fixed in pdoc 14.5.1.

CNA Affected

[
  {
    "vendor": "mitmproxy",
    "product": "pdoc",
    "versions": [
      {
        "version": "< 14.5.1",
        "status": "affected"
      }
    ]
  }
]