CVE-2022-46161

pdfmake is an open source client/server side PDF printing in pure JavaScript. In versions up to and including 0.2.5 pdfmake contains an unsafe evaluation of user controlled input. Users of pdfmake are thus subject to arbitrary code execution in the context of the process running the pdfmake code. There are no known fixes for this issue. Users are advised to restrict access to trusted user input.

CVSS v3 10.0 CRITICAL

10.0^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://github.com/bpampuch/pdfmake/blob/802813970ac6de68a0bd0931b74150b33da0dd18/dev-playground/server.js#L32	Exploit Third Party Advisory
https://securitylab.github.com/advisories/GHSL-2022-068_pdfmake/	Exploit Third Party Advisory
https://github.com/bpampuch/pdfmake/blob/802813970ac6de68a0bd0931b74150b33da0dd18/dev-playground/server.js#L32	Exploit Third Party Advisory
https://securitylab.github.com/advisories/GHSL-2022-068_pdfmake/	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:pdfmake_project:pdfmake:*:*:*:*:*:*:*:*

History

21 Nov 2024, 07:30

Type	Values Removed	Values Added
References	~~() https://github.com/bpampuch/pdfmake/blob/802813970ac6de68a0bd0931b74150b33da0dd18/dev-playground/server.js#L32 - Exploit, Third Party Advisory~~	() https://github.com/bpampuch/pdfmake/blob/802813970ac6de68a0bd0931b74150b33da0dd18/dev-playground/server.js#L32 - Exploit, Third Party Advisory
References	~~() https://securitylab.github.com/advisories/GHSL-2022-068_pdfmake/ - Exploit, Third Party Advisory~~	() https://securitylab.github.com/advisories/GHSL-2022-068_pdfmake/ - Exploit, Third Party Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~9.8~~	v2 : unknown v3 : 10.0

07 Jul 2023, 19:04

Type	Values Removed	Values Added
CWE	~~CWE-94~~	NVD-CWE-Other

Information

Published : 2022-12-06 19:15

Updated : 2024-11-21 07:30

NVD link : CVE-2022-46161

Mitre link : CVE-2022-46161

CVE.ORG link : CVE-2022-46161

JSON object : View

Products Affected

pdfmake_project

pdfmake

CWE

CWE-94

Improper Control of Generation of Code ('Code Injection')

NVD-CWE-Other

{"id": "CVE-2022-46161", "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 10.0, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 3.9}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2022-12-06T19:15:10.520", "references": [{"url": "https://github.com/bpampuch/pdfmake/blob/802813970ac6de68a0bd0931b74150b33da0dd18/dev-playground/server.js#L32", "tags": ["Exploit", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://securitylab.github.com/advisories/GHSL-2022-068_pdfmake/", "tags": ["Exploit", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/bpampuch/pdfmake/blob/802813970ac6de68a0bd0931b74150b33da0dd18/dev-playground/server.js#L32", "tags": ["Exploit", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://securitylab.github.com/advisories/GHSL-2022-068_pdfmake/", "tags": ["Exploit", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-94"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-Other"}]}], "descriptions": [{"lang": "en", "value": "pdfmake is an open source client/server side PDF printing in pure JavaScript. In versions up to and including 0.2.5 pdfmake contains an unsafe evaluation of user controlled input. Users of pdfmake are thus subject to arbitrary code execution in the context of the process running the pdfmake code. There are no known fixes for this issue. Users are advised to restrict access to trusted user input."}, {"lang": "es", "value": "pdfmake es una impresi\u00f3n de PDF del lado cliente/servidor de c\u00f3digo abierto en JavaScript puro. En versiones hasta la 0.2.5 incluida, pdfmake contiene una evaluaci\u00f3n insegura de la entrada controlada por el usuario. Por lo tanto, los usuarios de pdfmake est\u00e1n sujetos a la ejecuci\u00f3n de c\u00f3digo arbitrario en el contexto del proceso que ejecuta el c\u00f3digo pdfmake. No se conocen soluciones para este problema. Se recomienda a los usuarios que restrinjan el acceso a las entradas de usuarios confiables."}], "lastModified": "2024-11-21T07:30:13.973", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:pdfmake_project:pdfmake:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "642EFB6D-D985-4533-89A8-6F74E1DC7C1C", "versionEndIncluding": "0.2.5"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}