Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS0ycjd2LWNtY2gtNXgyNs4AAwJT
muhammara and hummus vulnerable to Unchecked Return Value to NULL Pointer Dereference
Impact
The package muhammara before 2.6.2, from 3.0.0 and before 3.3.0; all versions of package hummus are vulnerable to Denial of Service (DoS) when supplied with a maliciously crafted PDF file to be parsed.
Patches
It has been patched in 3.4.0 and has been backported to 2.6.2
There is no patch for hummus, currently
Workarounds
Do not process files from untrusted sources or update.
Replace hummus with muhammara
References
https://github.com/julianhille/MuhammaraJS/pull/235
https://github.com/julianhille/MuhammaraJS/pull/238
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0ycjd2LWNtY2gtNXgyNs4AAwJT
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 1 year ago
Updated: about 1 year ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Identifiers: GHSA-2r7v-cmch-5x26, CVE-2022-41957
References:
- https://github.com/julianhille/MuhammaraJS/security/advisories/GHSA-2r7v-cmch-5x26
- https://nvd.nist.gov/vuln/detail/CVE-2022-41957
- https://github.com/julianhille/MuhammaraJS/pull/235
- https://github.com/julianhille/MuhammaraJS/pull/238
- https://github.com/advisories/GHSA-2r7v-cmch-5x26
Blast Radius: 18.4
Affected Packages
npm:muhammara
Dependent packages: 16Dependent repositories: 20
Downloads: 67,694 last month
Affected Version Ranges: < 2.6.2, >= 3.0.0, < 3.4.0
Fixed in: 2.6.2, 3.4.0
All affected versions: 1.0.1, 1.1.0, 1.2.0, 1.3.0, 1.4.0, 1.4.1, 1.5.0, 1.5.1, 1.6.0, 1.7.0, 1.8.0, 1.9.0, 1.10.0, 2.0.0, 2.1.0, 2.2.0, 2.3.0, 2.4.0, 2.5.0, 2.6.0, 2.6.1, 3.0.0, 3.1.0, 3.1.1, 3.2.0, 3.3.0
All unaffected versions: 2.6.2, 3.4.0, 3.5.0, 3.6.0, 3.7.0, 3.8.0, 4.0.0, 4.1.0
npm:hummus
Dependent packages: 43Dependent repositories: 282
Downloads: 59,525 last month
Affected Version Ranges: < 2.6.2
No known fixed version
All affected versions: 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.0.7, 1.0.8, 1.0.9, 1.0.10, 1.0.11, 1.0.12, 1.0.13, 1.0.14, 1.0.15, 1.0.16, 1.0.17, 1.0.18, 1.0.19, 1.0.20, 1.0.21, 1.0.22, 1.0.23, 1.0.24, 1.0.25, 1.0.26, 1.0.27, 1.0.28, 1.0.29, 1.0.30, 1.0.31, 1.0.32, 1.0.33, 1.0.34, 1.0.35, 1.0.36, 1.0.37, 1.0.38, 1.0.39, 1.0.40, 1.0.41, 1.0.42, 1.0.43, 1.0.44, 1.0.45, 1.0.46, 1.0.47, 1.0.48, 1.0.49, 1.0.51, 1.0.52, 1.0.53, 1.0.54, 1.0.55, 1.0.56, 1.0.57, 1.0.58, 1.0.59, 1.0.60, 1.0.61, 1.0.62, 1.0.63, 1.0.64, 1.0.65, 1.0.66, 1.0.67, 1.0.68, 1.0.69, 1.0.70, 1.0.71, 1.0.72, 1.0.73, 1.0.74, 1.0.75, 1.0.76, 1.0.77, 1.0.78, 1.0.79, 1.0.80, 1.0.81, 1.0.82, 1.0.83, 1.0.84, 1.0.85, 1.0.86, 1.0.87, 1.0.88, 1.0.89, 1.0.90, 1.0.91, 1.0.92, 1.0.93, 1.0.94, 1.0.95, 1.0.96, 1.0.97, 1.0.98, 1.0.99, 1.0.100, 1.0.101, 1.0.102, 1.0.103, 1.0.104, 1.0.105, 1.0.106, 1.0.107, 1.0.108, 1.0.109, 1.0.110, 1.0.111, 1.0.112, 1.0.113, 1.0.114, 1.0.115, 1.0.116