GHSA-4m3g-6r7g-jv4f – gradio-pdf

Package

Manager: pip
Name: gradio-pdf
Vulnerable Version: =0.0.1 || =0.0.2 || =0.0.3 || =0.0.4 || =0.0.5 || =0.0.6 || =0.0.7 || =0.0.8 || =0.0.9 || >=0 <0.0.10

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N

EPSS: N/A pctlN/A

Details

Arbitrary JavaScript execution due to using outdated libraries ### Summary gradio-pdf projects with dependencies on the pdf.js library are vulnerable to CVE-2024-4367, which allows arbitrary JavaScript execution. ### PoC 1. Generate a pdf file with a malicious script in the fontmatrix. (This will run `alert(‘XSS’)`.) [poc.pdf](https://github.com/user-attachments/files/15516798/poc.pdf) 2. Run the app. In this PoC, I've used the demo for a simple proof. ![1](https://github.com/freddyaboulton/gradio-pdf/assets/114328108/d1bb7626-3d0f-4984-8873-297658d6e77e) 3. Upload a PDF file containing the script. ![2](https://github.com/freddyaboulton/gradio-pdf/assets/114328108/803d8080-c946-446e-bb34-cf5640e1b4de) 4. Check that the script is running. ![3](https://github.com/freddyaboulton/gradio-pdf/assets/114328108/4956b95f-acca-4bb1-a3c2-7dfc96adf890) ### Impact Malicious scripts can be injected into the code, and when linked with vulnerabilities such as CSRF, it can cause even greater damage. In particular, It can become a source of further attacks, especially when linked to social engineering. ### Mitigation Upgrade the pdf.js to v4.2.67, which removes the vulnerability. (or set the option `isEvalSupported` to `false`.) ### Reference 1. https://codeanlabs.com/blog/research/cve-2024-4367-arbitrary-js-execution-in-pdf-js/ 2. https://github.com/mozilla/pdf.js/pull/18015

Metadata

Created: 2024-06-05T14:15:50Z
Modified: 2024-12-02T05:49:21.567066Z
Source: https://osv-vulnerabilities
CWE IDs: ["CWE-79"]
Alternative ID: N/A
Finding: F008
Auto approve: 1