Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1yaHd4LWhqeDIteDRxcs4AAuuA
PDFKit vulnerable to Command Injection
The package pdfkit is vulnerable to Command Injection where the URL is not properly sanitized.
Note: This issue was patched in 0.8.7.2, but the patch was discovered to be ineffective. The updated patch version is 0.8.7.2.
Permalink: https://github.com/advisories/GHSA-rhwx-hjx2-x4qrJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1yaHd4LWhqeDIteDRxcs4AAuuA
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: over 1 year ago
Updated: 7 months ago
CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-rhwx-hjx2-x4qr, CVE-2022-25765
References:
- https://nvd.nist.gov/vuln/detail/CVE-2022-25765
- https://github.com/pdfkit/pdfkit/blob/46cdf53ec540da1a1a2e4da979e3e5fe2f92a257/lib/pdfkit/pdfkit.rb%23L55-L58
- https://github.com/pdfkit/pdfkit/blob/master/lib/pdfkit/source.rb%23L44-L50
- https://security.snyk.io/vuln/SNYK-RUBY-PDFKIT-2869795
- https://github.com/pdfkit/pdfkit/blob/46cdf53ec540da1a1a2e4da979e3e5fe2f92a257/lib/pdfkit/pdfkit.rb#L55-L58
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/pdfkit/CVE-2022-25765.yml
- https://github.com/pdfkit/pdfkit/releases/tag/v0.8.7
- https://lists.fedoraproject.org/archives/list/[email protected]/message/ESWB6SX7HYWQ54UGBGQOZ7G24O6RAOKD/
- https://lists.fedoraproject.org/archives/list/[email protected]/message/JFB2BFKH5SUGRKXMY6PWRQNGKZML7GDT/
- https://github.com/pdfkit/pdfkit/issues/517
- https://github.com/pdfkit/pdfkit/pull/519
- https://lists.fedoraproject.org/archives/list/[email protected]/message/C36GAV3TKM3JXV6UVMLMTTDRCPKSNETQ/
- http://packetstormsecurity.com/files/171746/pdfkit-0.8.7.2-Command-Injection.html
- https://github.com/advisories/GHSA-rhwx-hjx2-x4qr
Affected Packages
rubygems:pdfkit
Dependent packages: 58Dependent repositories: 1,928
Downloads: 21,081,109 total
Affected Version Ranges: < 0.8.7.2
Fixed in: 0.8.7.2
All affected versions:
All unaffected versions: 0.1.0, 0.1.1, 0.2.0, 0.2.1, 0.2.2, 0.2.3, 0.3.0, 0.3.1, 0.3.2, 0.3.3, 0.4.0, 0.4.1, 0.4.2, 0.4.3, 0.4.4, 0.4.5, 0.4.6, 0.5.0, 0.5.1, 0.5.2, 0.5.3, 0.5.4, 0.6.1, 0.6.2, 0.7.0, 0.8.0, 0.8.1, 0.8.2, 0.8.3, 0.8.4, 0.8.5, 0.8.6, 0.8.7