Описание
pdoc embeds link to malicious CDN if math mode is enabled
Impact
Documentation generated with pdoc --math linked to JavaScript files from polyfill.io.
The polyfill.io CDN has been sold and now serves malicious code.
Users who produce documentation with math mode should update immediately. All other users are unaffected.
Patches
This issue has been fixed in pdoc 14.5.1.
References
https://github.com/mitmproxy/pdoc/pull/703 https://sansec.io/research/polyfill-supply-chain-attack
Timeline
- [2024-06-25] https://sansec.io/research/polyfill-supply-chain-attack is published.
- [2024-06-25 20:54 UTC] Issue reported to the pdoc project by @adhintz.
- [2024-06-25 21:33 UTC] Patched version released.
- [2024-06-25 21:37 UTC] Security advisory published.
- [2024-06-25 23:49 UTC] CVE-2024-38526 assigned by GitHub.
Ссылки
- https://github.com/mitmproxy/pdoc/security/advisories/GHSA-5vgj-ggm4-fg62
- https://nvd.nist.gov/vuln/detail/CVE-2024-38526
- https://github.com/mitmproxy/pdoc/pull/703
- https://github.com/mitmproxy/pdoc/commit/726b8f2e365fe8afeb3604a7c73d19b460395d58
- https://sansec.io/research/polyfill-supply-chain-attack
- https://www.vicarius.io/vsociety/posts/polyfillio-in-pdoc-cve-2024-38526
Пакеты
pdoc
< 14.5.1
14.5.1
Связанные уязвимости
pdoc provides API Documentation for Python Projects. Documentation generated with `pdoc --math` linked to JavaScript files from polyfill.io. The polyfill.io CDN has been sold and now serves malicious code. This issue has been fixed in pdoc 14.5.1.
Уязвимость компонентов EAI, UI (Oxygen XML WebHelp) системы управления взаимоотношениями с клиентами Oracle Siebel CRM, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации или вызвать отказ в обслуживании