GHSA-2r7v-cmch-5x26

Suggest an improvement
Source
https://github.com/advisories/GHSA-2r7v-cmch-5x26
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-2r7v-cmch-5x26/GHSA-2r7v-cmch-5x26.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-2r7v-cmch-5x26
Aliases
Published
2022-12-05T17:37:22Z
Modified
2023-11-08T04:10:36.975874Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
muhammara and hummus vulnerable to Unchecked Return Value to NULL Pointer Dereference
Details

Impact

The package muhammara before 2.6.2, from 3.0.0 and before 3.3.0; all versions of package hummus are vulnerable to Denial of Service (DoS) when supplied with a maliciously crafted PDF file to be parsed.

Patches

It has been patched in 3.4.0 and has been backported to 2.6.2 There is no patch for hummus, currently

Workarounds

Do not process files from untrusted sources or update. Replace hummus with muhammara

References

https://github.com/julianhille/MuhammaraJS/pull/235 https://github.com/julianhille/MuhammaraJS/pull/238

References

Affected packages

npm / hummus

Package

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected

Database specific

{
    "last_known_affected_version_range": "< 2.6.2"
}

npm / muhammara

Package

Affected ranges

Type
SEMVER
Events
Introduced
3.0.0
Fixed
3.4.0

npm / muhammara

Package

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.6.2