UBUNTU-CVE-2023-38745

See a problem?
Please try reporting it to the source first.

Source

https://ubuntu.com/security/CVE-2023-38745

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2023/UBUNTU-CVE-2023-38745.json

JSON Data

https://api.test.osv.dev/v1/vulns/UBUNTU-CVE-2023-38745

Related

CVE-2023-38745

Published

2023-07-25T04:15:00Z

Modified

2025-01-13T10:24:23Z

Severity

6.3 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H CVSS Calculator

Summary

[none]

Details

Pandoc before 3.1.6 allows arbitrary file write: this can be triggered by providing a crafted image element in the input when generating files via the --extract-media option or outputting to PDF format. This allows an attacker to create or overwrite arbitrary files, depending on the privileges of the process running Pandoc. It only affects systems that pass untrusted user input to Pandoc and allow Pandoc to be used to produce a PDF or with the --extract-media option. NOTE: this issue exists because of an incomplete fix for CVE-2023-35936 (failure to properly account for double encoded path names).

References

Affected packages

Ubuntu:Pro:14.04:LTS / pandoc

Package

Name: pandoc
Purl: pkg:deb/ubuntu/pandoc@1.12.2.1-1build2?arch=source&distro=esm-infra-legacy/trusty

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.11.1-2build2

1.11.1-4

1.11.1-5

1.12.2.1-1

1.12.2.1-1build1

1.12.2.1-1build2

Ecosystem specific

{
    "ubuntu_priority": "medium"
}

Ubuntu:Pro:16.04:LTS / pandoc

Package

Name: pandoc
Purl: pkg:deb/ubuntu/pandoc@1.16.0.2~dfsg-1?arch=source&distro=esm-apps/xenial

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.13.2.1~dfsg-1build6

1.15.1.1~dfsg-2

1.15.1.1~dfsg-2build1

1.16.0.2~dfsg-1

Ecosystem specific

{
    "ubuntu_priority": "medium"
}

Ubuntu:Pro:18.04:LTS / pandoc

Package

Name: pandoc
Purl: pkg:deb/ubuntu/pandoc@1.19.2.4~dfsg-1build4?arch=source&distro=esm-apps/bionic

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.19.2.1.0-1

1.19.2.4~dfsg-1build1

1.19.2.4~dfsg-1build2

1.19.2.4~dfsg-1build3

1.19.2.4~dfsg-1build4

Ecosystem specific

{
    "ubuntu_priority": "medium"
}

Ubuntu:20.04:LTS / pandoc

Package

Name: pandoc
Purl: pkg:deb/ubuntu/pandoc@2.5-3build2?arch=source&distro=focal

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.5-2

2.5-3

2.5-3build1

2.5-3build2

Ecosystem specific

{
    "ubuntu_priority": "medium"
}

Ubuntu:22.04:LTS / pandoc

Package

Name: pandoc
Purl: pkg:deb/ubuntu/pandoc@2.9.2.1-3ubuntu2?arch=source&distro=jammy

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.9.2.1-1ubuntu4

2.9.2.1-3ubuntu1

2.9.2.1-3ubuntu2

Ecosystem specific

{
    "ubuntu_priority": "medium"
}

Ubuntu:24.10 / pandoc

Package

Name: pandoc
Purl: pkg:deb/ubuntu/pandoc@3.1.3+ds-3build2?arch=source&distro=oracular

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.1.3+ds-2

3.1.3+ds-3build1

3.1.3+ds-3build2

Ecosystem specific

{
    "ubuntu_priority": "medium"
}

Ubuntu:24.04:LTS / pandoc

Package

Name: pandoc
Purl: pkg:deb/ubuntu/pandoc@3.1.3+ds-2?arch=source&distro=noble

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.17.1.1-3ubuntu1

3.*

3.0.1+ds-3

3.1.3+ds-1

3.1.3+ds-2

Ecosystem specific

{
    "ubuntu_priority": "medium"
}