Vulnerabilites related to mitmproxy - pdoc
CVE-2024-38526 (GCVE-0-2024-38526)
Vulnerability from cvelistv5
Published
2024-06-25 23:53
Modified
2025-02-13 17:53
Severity ?
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L/E:H/RL:O/RC:C/MC:N/MI:N/MA:N
CWE
  • CWE-1395 - Dependency on Vulnerable Third-Party Component
Summary
pdoc provides API Documentation for Python Projects. Documentation generated with `pdoc --math` linked to JavaScript files from polyfill.io. The polyfill.io CDN has been sold and now serves malicious code. This issue has been fixed in pdoc 14.5.1.
References
Impacted products
Vendor Product Version
mitmproxy pdoc Version: < 14.5.1
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:mitmproxy:pdoc:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "pdoc",
            "vendor": "mitmproxy",
            "versions": [
              {
                "lessThan": "14.5.1",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-38526",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-08-14T14:23:46.307681Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-08-14T14:25:31.686Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T04:12:25.740Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/mitmproxy/pdoc/security/advisories/GHSA-5vgj-ggm4-fg62",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/mitmproxy/pdoc/security/advisories/GHSA-5vgj-ggm4-fg62"
          },
          {
            "name": "https://github.com/mitmproxy/pdoc/pull/703",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/mitmproxy/pdoc/pull/703"
          },
          {
            "name": "https://sansec.io/research/polyfill-supply-chain-attack",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://sansec.io/research/polyfill-supply-chain-attack"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.vicarius.io/vsociety/posts/polyfillio-in-pdoc-cve-2024-38526"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "pdoc",
          "vendor": "mitmproxy",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 14.5.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "pdoc provides API Documentation for Python Projects. Documentation generated with `pdoc --math` linked to JavaScript files from polyfill.io. The polyfill.io CDN has been sold and now serves malicious code. This issue has been fixed in pdoc 14.5.1."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 0,
            "baseSeverity": "NONE",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L/E:H/RL:O/RC:C/MC:N/MI:N/MA:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1395",
              "description": "CWE-1395: Dependency on Vulnerable Third-Party Component",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-07-24T16:18:22.866Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/mitmproxy/pdoc/security/advisories/GHSA-5vgj-ggm4-fg62",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/mitmproxy/pdoc/security/advisories/GHSA-5vgj-ggm4-fg62"
        },
        {
          "name": "https://github.com/mitmproxy/pdoc/pull/703",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/mitmproxy/pdoc/pull/703"
        },
        {
          "name": "https://sansec.io/research/polyfill-supply-chain-attack",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://sansec.io/research/polyfill-supply-chain-attack"
        },
        {
          "url": "https://www.vicarius.io/vsociety/posts/polyfillio-in-pdoc-cve-2024-38526"
        }
      ],
      "source": {
        "advisory": "GHSA-5vgj-ggm4-fg62",
        "discovery": "UNKNOWN"
      },
      "title": "pdoc embeds link to malicious CDN if math mode is enabled"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-38526",
    "datePublished": "2024-06-25T23:53:54.677Z",
    "dateReserved": "2024-06-18T16:37:02.728Z",
    "dateUpdated": "2025-02-13T17:53:15.493Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}