CVE-2021-23639

Опубликовано: 10 дек. 2021

Источник: nvd

CVSS3: 9.8

CVSS2: 7.5

EPSS Средний

Описание

The package md-to-pdf before 5.0.0 are vulnerable to Remote Code Execution (RCE) due to utilizing the library gray-matter to parse front matter content, without disabling the JS engine.

Ссылки

https://github.com/simonhaenisch/md-to-pdf/commit/a716259c548c82fa1d3b14a3422e9100619d2d8a
Patch
Third Party Advisory
https://github.com/simonhaenisch/md-to-pdf/issues/99
Exploit
Issue Tracking
Patch
Third Party Advisory
https://snyk.io/vuln/SNYK-JS-MDTOPDF-1657880
Exploit
Patch
Third Party Advisory
https://github.com/simonhaenisch/md-to-pdf/commit/a716259c548c82fa1d3b14a3422e9100619d2d8a
Patch
Third Party Advisory
https://github.com/simonhaenisch/md-to-pdf/issues/99
Exploit
Issue Tracking
Patch
Third Party Advisory
https://snyk.io/vuln/SNYK-JS-MDTOPDF-1657880
Exploit
Patch
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:markdown_to_pdf_project:markdown_to_pdf:*:*:*:*:*:node.js:*:*

Версия до 5.0.0 (исключая)

EPSS

Процентиль: 96%

0.24757

Средний

9.8 Critical

CVSS3

7.5 High

CVSS2

Дефекты

NVD-CWE-noinfo

Связанные уязвимости

GHSA-x949-7cm6-fm6p