ghsa-2r7v-cmch-5x26
Vulnerability from github
Published
2022-12-05 17:37
Modified
2022-12-05 17:37
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
muhammara and hummus vulnerable to Unchecked Return Value to NULL Pointer Dereference
Details

Impact

The package muhammara before 2.6.2, from 3.0.0 and before 3.3.0; all versions of package hummus are vulnerable to Denial of Service (DoS) when supplied with a maliciously crafted PDF file to be parsed.

Patches

It has been patched in 3.4.0 and has been backported to 2.6.2 There is no patch for hummus, currently

Workarounds

Do not process files from untrusted sources or update. Replace hummus with muhammara

References

https://github.com/julianhille/MuhammaraJS/pull/235 https://github.com/julianhille/MuhammaraJS/pull/238

Show details on source website

To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 2.6.2"
      },
      "package": {
        "ecosystem": "npm",
        "name": "hummus"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "muhammara"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0"
            },
            {
              "fixed": "3.4.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "muhammara"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.6.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-41957"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-690"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-12-05T17:37:22Z",
    "nvd_published_at": "2022-11-28T15:15:00Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nThe package muhammara before 2.6.2, from 3.0.0 and before 3.3.0; all versions of package hummus are vulnerable to Denial of Service (DoS) when supplied with a maliciously crafted PDF file to be parsed.\n\n### Patches\nIt has been patched in 3.4.0 and has been backported to 2.6.2\nThere is no patch for hummus, currently\n\n### Workarounds\nDo not process files from untrusted sources or update.\nReplace hummus with muhammara\n\n### References\nhttps://github.com/julianhille/MuhammaraJS/pull/235\nhttps://github.com/julianhille/MuhammaraJS/pull/238",
  "id": "GHSA-2r7v-cmch-5x26",
  "modified": "2022-12-05T17:37:22Z",
  "published": "2022-12-05T17:37:22Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/julianhille/MuhammaraJS/security/advisories/GHSA-2r7v-cmch-5x26"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41957"
    },
    {
      "type": "WEB",
      "url": "https://github.com/julianhille/MuhammaraJS/pull/235"
    },
    {
      "type": "WEB",
      "url": "https://github.com/julianhille/MuhammaraJS/pull/238"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/julianhille/MuhammaraJS"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "muhammara and hummus vulnerable to Unchecked Return Value to NULL Pointer Dereference"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.