OpenCVE

Muhammara is a node module with c/cpp bindings to modify PDF with js for node or electron (based/replacement on/of galkhana/hummusjs). The package muhammara before 2.6.0; all versions of package hummus are vulnerable to Denial of Service (DoS) when supplied with a maliciously crafted PDF file to be appended to another. This issue has been patched in 2.6.0 for muhammara and not at all for hummus. As a workaround, do not process files from untrusted sources.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Muhammarajs Project	Muhammarajs
Pdfhummus	Hummusjs

Configuration 1 [-]

OR	cpe:2.3:a:muhammarajs_project:muhammarajs::::::node.js::*
	cpe:2.3:a:pdfhummus:hummusjs::::::node.js::*

No data.

References

Link	Providers
https://github.com/galkahana/HummusJS/issues/293
https://github.com/julianhille/MuhammaraJS/issues/191
https://github.com/julianhille/MuhammaraJS/pull/194
https://github.com/julianhille/MuhammaraJS/security/advisories/GHSA-rcrx-fpjp-mfrw

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2022-11-02T00:00:00

Updated: 2024-08-03T12:07:41.238Z

Reserved: 2022-09-02T00:00:00

Link: CVE-2022-39381

Vulnrichment

No data.

NVD

Status : Modified

Published: 2022-11-02T15:15:10.543

Modified: 2024-11-21T07:18:10.657

Link: CVE-2022-39381

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-39381", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "dateUpdated": "2024-08-03T12:07:41.238Z", "dateReserved": "2022-09-02T00:00:00", "datePublished": "2022-11-02T00:00:00"}, "containers": {"cna": {"title": "Unchecked Return Value to NULL Pointer Dereference in PDFDocumentHandler.cpp", "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2022-11-02T00:00:00"}, "descriptions": [{"lang": "en", "value": "Muhammara is a node module with c/cpp bindings to modify PDF with js for node or electron (based/replacement on/of galkhana/hummusjs). The package muhammara before 2.6.0; all versions of package hummus are vulnerable to Denial of Service (DoS) when supplied with a maliciously crafted PDF file to be appended to another. This issue has been patched in 2.6.0 for muhammara and not at all for hummus. As a workaround, do not process files from untrusted sources."}], "affected": [{"vendor": "julianhille", "product": "MuhammaraJS", "versions": [{"version": "< 2.6.0", "status": "affected"}]}], "references": [{"url": "https://github.com/julianhille/MuhammaraJS/security/advisories/GHSA-rcrx-fpjp-mfrw"}, {"url": "https://github.com/galkahana/HummusJS/issues/293"}, {"url": "https://github.com/julianhille/MuhammaraJS/issues/191"}, {"url": "https://github.com/julianhille/MuhammaraJS/pull/194"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-690: Unchecked Return Value to NULL Pointer Dereference", "cweId": "CWE-690"}]}], "source": {"advisory": "GHSA-rcrx-fpjp-mfrw", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T12:07:41.238Z"}, "title": "CVE Program Container", "references": [{"url": "https://github.com/julianhille/MuhammaraJS/security/advisories/GHSA-rcrx-fpjp-mfrw", "tags": ["x_transferred"]}, {"url": "https://github.com/galkahana/HummusJS/issues/293", "tags": ["x_transferred"]}, {"url": "https://github.com/julianhille/MuhammaraJS/issues/191", "tags": ["x_transferred"]}, {"url": "https://github.com/julianhille/MuhammaraJS/pull/194", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:muhammarajs_project:muhammarajs:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "F63EAAE0-D342-4D4B-945E-82FA10CCD315", "versionEndIncluding": "2.6.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:pdfhummus:hummusjs:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "ADCD90A6-1325-4822-85A1-E7196FDFA510", "versionEndExcluding": "1.0.111", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Muhammara is a node module with c/cpp bindings to modify PDF with js for node or electron (based/replacement on/of galkhana/hummusjs). The package muhammara before 2.6.0; all versions of package hummus are vulnerable to Denial of Service (DoS) when supplied with a maliciously crafted PDF file to be appended to another. This issue has been patched in 2.6.0 for muhammara and not at all for hummus. As a workaround, do not process files from untrusted sources."}, {"lang": "es", "value": "Muhammara es un m\u00f3dulo de nodo con enlaces c/cpp para modificar PDF con js para nodo o electr\u00f3n (based/replacement on/of galkhana/hummusjs). El paquete muhammara antes de 2.6.0; Todas las versiones del paquete hummus son vulnerables a la Denegaci\u00f3n de Servicio (DoS) cuando se les suministra un archivo PDF creado con fines malintencionados para adjuntarlo a otro. Este problema se solucion\u00f3 en 2.6.0 para muhammara y no se solucion\u00f3 en absoluto para hummus. Como workaround alternativo, no procese archivos de fuentes que no sean de confianza."}], "id": "CVE-2022-39381", "lastModified": "2024-11-21T07:18:10.657", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-11-02T15:15:10.543", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "url": "https://github.com/galkahana/HummusJS/issues/293"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://github.com/julianhille/MuhammaraJS/issues/191"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/julianhille/MuhammaraJS/pull/194"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/julianhille/MuhammaraJS/security/advisories/GHSA-rcrx-fpjp-mfrw"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "url": "https://github.com/galkahana/HummusJS/issues/293"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://github.com/julianhille/MuhammaraJS/issues/191"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/julianhille/MuhammaraJS/pull/194"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/julianhille/MuhammaraJS/security/advisories/GHSA-rcrx-fpjp-mfrw"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-690"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-476"}], "source": "nvd@nist.gov", "type": "Primary"}]}