Описание
jsPDF is a library to generate PDFs in JavaScript. Prior to 4.1.0, user control of the first argument of the addMetadata function allows users to inject arbitrary XML. If given the possibility to pass unsanitized input to the addMetadata method, a user can inject arbitrary XMP metadata into the generated PDF. If the generated PDF is signed, stored or otherwise processed after, the integrity of the PDF can no longer be guaranteed. The vulnerability has been fixed in jsPDF@4.1.0.
A flaw was found in jsPDF, a JavaScript library for generating PDFs. A remote attacker can inject arbitrary Extensible Metadata Platform (XMP) metadata into a generated PDF by providing unsanitized input to the addMetadata function. This XML injection vulnerability can compromise the integrity of the PDF, especially if the document is subsequently signed, stored, or processed.
Отчет
This MODERATE impact vulnerability in jsPDF allows for the injection of arbitrary XMP metadata into generated PDFs if unsanitized input is passed to the addMetadata function. This could compromise the integrity of PDFs processed by affected Red Hat Advanced Cluster Security components. Red Hat Advanced Cluster Security versions 4.8 and 4.9 are affected.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Advanced Cluster Security 4 | advanced-cluster-security/rhacs-central-db-rhel8 | Fix deferred | ||
| Red Hat Advanced Cluster Security 4 | advanced-cluster-security/rhacs-main-rhel8 | Fix deferred | ||
| Red Hat Advanced Cluster Security 4 | advanced-cluster-security/rhacs-rhel8-operator | Fix deferred | ||
| Red Hat Advanced Cluster Security 4 | advanced-cluster-security/rhacs-roxctl-rhel8 | Fix deferred | ||
| Red Hat Advanced Cluster Security 4 | advanced-cluster-security/rhacs-scanner-v4-db-rhel8 | Fix deferred | ||
| Red Hat Advanced Cluster Security 4 | advanced-cluster-security/rhacs-scanner-v4-rhel8 | Fix deferred |
Показывать по
Ссылки на источники
Дополнительная информация
Статус:
5.8 Medium
CVSS3
Связанные уязвимости
jsPDF is a library to generate PDFs in JavaScript. Prior to 4.1.0, user control of the first argument of the addMetadata function allows users to inject arbitrary XML. If given the possibility to pass unsanitized input to the addMetadata method, a user can inject arbitrary XMP metadata into the generated PDF. If the generated PDF is signed, stored or otherwise processed after, the integrity of the PDF can no longer be guaranteed. The vulnerability has been fixed in jsPDF@4.1.0.
jsPDF is a library to generate PDFs in JavaScript. Prior to 4.1.0, use ...
jsPDF Vulnerable to Stored XMP Metadata Injection (Spoofing & Integrity Violation)
5.8 Medium
CVSS3