GHSA-rcrx-fpjp-mfrw
Suggest an improvement- Source
- https://github.com/advisories/GHSA-rcrx-fpjp-mfrw
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/11/GHSA-rcrx-fpjp-mfrw/GHSA-rcrx-fpjp-mfrw.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-rcrx-fpjp-mfrw
- Aliases
-
- CVE-2022-39381
- Published
- 2022-11-02T18:10:47Z
- Modified
- 2023-11-08T04:10:20.347133Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- Unchecked Return Value to NULL Pointer Dereference in PDFDocumentHandler.cpp
- Details
-
Impact
The package muhammara before 2.6.0; all versions of package hummus are vulnerable to Denial of Service (DoS) when supplied with a maliciously crafted PDF file to be appended to another.
Patches
It has been patched in 2.6.0 for muhammara and not at all for hummus
Workarounds
Do not process files from untrusted sources
References
PR: https://github.com/julianhille/MuhammaraJS/pull/194 Issue: https://github.com/julianhille/MuhammaraJS/issues/191 Issue in hummus: https://github.com/galkahana/HummusJS/issues/293
Outline differences to https://nvd.nist.gov/vuln/detail/CVE-2022-25892
The difference is one is in src/deps/PDFWriter/PDFParser.cpp and the other is PDFDocumentHandler.cpp both is a null pointer but for different cases These are totally diffent issues, one is in reading a pdf the other is in appendending a maliciously crafted one. The function calls are different the versions in which they are solved are diffent.
- Database specific
{ "nvd_published_at": "2022-11-02T15:15:00Z", "github_reviewed_at": "2022-11-02T18:10:47Z", "severity": "HIGH", "github_reviewed": true, "cwe_ids": [ "CWE-476", "CWE-690" ] }- References
-
- https://github.com/julianhille/MuhammaraJS/security/advisories/GHSA-rcrx-fpjp-mfrw
- https://nvd.nist.gov/vuln/detail/CVE-2022-39381
- https://github.com/galkahana/HummusJS/issues/293
- https://github.com/julianhille/MuhammaraJS/issues/191
- https://github.com/julianhille/MuhammaraJS/pull/194
- https://github.com/galkahana/HummusJS/commit/a9bf2520ab5abb69f9328906e406fbebfb36159a
- https://github.com/julianhille/MuhammaraJS
Affected packages
npm / muhammara
Package
- Name
- muhammara
- View open source insights on deps.dev
- Purl
- pkg:npm/muhammara
npm / hummus
Package
- Name
- hummus
- View open source insights on deps.dev
- Purl
- pkg:npm/hummus