CVE-2024-34342
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2024-34342
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-34342.json
- Aliases
-
- CVE-2024-4367
- GHSA-87hq-q4gp-9wr4
- GHSA-wgrm-67xf-hhpq
- Published
- 2024-05-07T15:15:09Z
- Modified
- 2024-05-14T13:11:32.923377Z
- Summary
- [none]
- Details
-
react-pdf displays PDFs in React apps. If PDF.js is used to load a malicious PDF, and PDF.js is configured with
isEvalSupportedset totrue(which is the default value), unrestricted attacker-controlled JavaScript will be executed in the context of the hosting domain. This vulnerability is fixed in 7.7.3 and 8.0.2. - References
-
- https://github.com/mozilla/pdf.js/security/advisories/GHSA-wgrm-67xf-hhpq
- https://github.com/wojtekmaj/react-pdf/security/advisories/GHSA-87hq-q4gp-9wr4
- https://github.com/mozilla/pdf.js/commit/85e64b5c16c9aaef738f421733c12911a441cec6
- https://github.com/wojtekmaj/react-pdf/commit/208f28dd47fe38c33ce4bac4205b2b0a0bb207fe
- https://github.com/wojtekmaj/react-pdf/commit/671e6eaa2e373e404040c13cc6b668fe39839cad
- https://github.com/mozilla/pdf.js/pull/18015
Affected packages
Git / github.com/mozilla/pdf.js
Affected ranges
- Type
- GIT
- Repo
- https://github.com/mozilla/pdf.js
- Events
- Type
- GIT
- Repo
- https://github.com/wojtekmaj/react-pdf
- Events
-
Introduced0The exact introduced commit is unknownFixedFixed
Affected versions
1.*
1.0.277
milestone-0.*
milestone-0.2
v0.*
v0.1.0
v0.3.459
v0.4.11
v0.5.5
v0.8.1181
v0.8.1334
v1.*
v1.0.0
v1.0.1
v1.0.1040
v1.0.1149
v1.0.2
v1.0.21
v1.0.277
v1.0.403
v1.0.473
v1.0.68
v1.0.712
v1.0.907
v1.1.0
v1.1.1
v1.1.114
v1.1.215
v1.1.3
v1.1.366
v1.1.469
v1.10.88
v1.2.0
v1.2.109
v1.3.0
v1.3.1
v1.3.2
v1.3.88
v1.4.0
v1.4.11
v1.4.20
v1.5.0
v1.5.1
v1.5.188
v1.6.0
v1.6.1
v1.6.210
v1.7.0
v1.7.225
v1.8.0
v1.8.1
v1.8.170
v1.8.188
v1.8.2
v1.8.3
v1.9.426
v1.x
v2.*
v2.0.0
v2.0.0-alpha
v2.0.0-alpha.1
v2.0.0-alpha.2
v2.0.0-alpha.3
v2.0.0-alpha.4
v2.0.0-alpha.5
v2.0.0-alpha.6
v2.0.0-alpha.7
v2.0.0-beta
v2.0.0-beta.2
v2.0.0-beta.3
v2.0.0-beta.4
v2.0.0-beta.5
v2.0.943
v2.1.0
v2.1.1
v2.1.2
v2.1.266
v2.1.3
v2.1.4
v2.1.5
v2.1.6
v2.1.7
v2.10.377
v2.11.338
v2.12.313
v2.13.216
v2.14.305
v2.15.349
v2.16.105
v2.2.0
v2.2.0-beta
v2.2.0-beta.2
v2.2.0-beta.3
v2.2.228
v2.3.0
v2.3.200
v2.4.0
v2.4.1
v2.4.2
v2.4.456
v2.5.0
v2.5.1
v2.5.2
v2.5.207
v2.6.347
v2.7.570
v2.8.335
v2.9.359
v3.*
v3.0.0
v3.0.0-alpha
v3.0.0-alpha.2
v3.0.0-alpha.3
v3.0.0-alpha.4
v3.0.0-beta
v3.0.1
v3.0.2
v3.0.279
v3.0.3
v3.0.4
v3.1.81
v3.10.111
v3.11.174
v3.2.146
v3.3.122
v3.4.120
v3.5.141
v3.6.172
v3.7.107
v3.8.162
v3.9.179
v4.*
v4.0.0
v4.0.0-beta
v4.0.0-beta.2
v4.0.0-beta.3
v4.0.0-beta.4
v4.0.0-beta.5
v4.0.0-beta.6
v4.0.1
v4.0.189
v4.0.2
v4.0.269
v4.0.3
v4.0.379
v4.0.4
v4.0.5
v4.1.0
v4.1.392
v4.2.0
v4.x
v5.*
v5.0.0
v5.0.0-beta
v5.0.0-beta.2
v5.0.0-beta.3
v5.0.0-beta.4
v5.0.0-beta.5
v5.1.0
v5.1.0-beta
v5.2.0
v5.3.0
v5.3.1
v5.3.2
v5.4.0
v5.4.1
v5.5.0
v5.6.0
v5.7.0
v5.7.1
v5.7.2
v5.x
v6.*
v6.0.0
v6.0.0-beta
v6.0.0-beta.2
v6.0.0-beta.3
v6.0.0-beta.4
v6.0.0-beta.5
v6.0.0-beta.6
v6.0.1
v6.0.2
v6.0.3
v6.1.0
v6.1.1
v6.2.0
v6.2.1
v6.2.2
v6.x
v7.*
v7.0.0
v7.0.0-beta
v7.0.0-beta.2
v7.0.0-beta.3
v7.0.0-beta.4
v7.0.1
v7.0.2
v7.0.3
v7.1.0
v7.1.1
v7.1.2
v7.1.3
v7.2.0
v7.3.0
v7.3.1
v7.3.2
v7.3.3
v7.4.0
v7.5.0
v7.5.1
v7.6.0
v7.7.0
v7.7.1
v8.*
v8.0.0
v8.0.1
Other
vundefined