GHSA-x949-7cm6-fm6p

Опубликовано: 16 дек. 2021

Источник: github

Github: Прошло ревью

CVSS3: 9.8

Описание

Code Injection in md-to-pdf.

The package md-to-pdf before 5.0.0 are vulnerable to Remote Code Execution (RCE) due to utilizing the library gray-matter to parse front matter content, without disabling the JS engine.

Ссылки

https://nvd.nist.gov/vuln/detail/CVE-2021-23639
https://github.com/simonhaenisch/md-to-pdf/issues/99
https://github.com/simonhaenisch/md-to-pdf/commit/a716259c548c82fa1d3b14a3422e9100619d2d8a
https://snyk.io/vuln/SNYK-JS-MDTOPDF-1657880

Пакеты

Наименование

md-to-pdf

npm

Затронутые версииВерсия исправления

< 5.0.0

5.0.0

EPSS

Процентиль: 96%

0.24757

Средний

9.8 Critical

CVSS3

CVE ID

CVE-2021-23639

Дефекты

CWE-94

Связанные уязвимости

CVE-2021-23639

CVSS3: 9.8

nvd

около 4 лет назад

The package md-to-pdf before 5.0.0 are vulnerable to Remote Code Execution (RCE) due to utilizing the library gray-matter to parse front matter content, without disabling the JS engine.

EPSS

Процентиль: 96%

0.24757

Средний

9.8 Critical

CVSS3

CVE ID

CVE-2021-23639

Дефекты

CWE-94