GHSA-4m3g-6r7g-jv4f

Suggest an improvement
Source
https://github.com/advisories/GHSA-4m3g-6r7g-jv4f
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-4m3g-6r7g-jv4f/GHSA-4m3g-6r7g-jv4f.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-4m3g-6r7g-jv4f
Published
2024-06-05T14:15:50Z
Modified
2024-12-02T05:27:24.601723Z
Severity
  • 3.6 (Low) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N CVSS Calculator
Summary
Arbitrary JavaScript execution due to using outdated libraries
Details

Summary

gradio-pdf projects with dependencies on the pdf.js library are vulnerable to CVE-2024-4367, which allows arbitrary JavaScript execution.

PoC

  1. Generate a pdf file with a malicious script in the fontmatrix. (This will run alert(‘XSS’).) poc.pdf

  2. Run the app. In this PoC, I've used the demo for a simple proof. 1

  3. Upload a PDF file containing the script. 2

  4. Check that the script is running. 3

Impact

Malicious scripts can be injected into the code, and when linked with vulnerabilities such as CSRF, it can cause even greater damage. In particular, It can become a source of further attacks, especially when linked to social engineering.

Mitigation

Upgrade the pdf.js to v4.2.67, which removes the vulnerability. (or set the option isEvalSupported to false.)

Reference

  1. https://codeanlabs.com/blog/research/cve-2024-4367-arbitrary-js-execution-in-pdf-js/
  2. https://github.com/mozilla/pdf.js/pull/18015
Database specific
{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-79"
    ],
    "severity": "LOW",
    "github_reviewed": true,
    "github_reviewed_at": "2024-06-05T14:15:50Z"
}
References

Affected packages

PyPI / gradio-pdf

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.0.10

Affected versions

0.*

0.0.1
0.0.2
0.0.3
0.0.4
0.0.5
0.0.6
0.0.7
0.0.8
0.0.9