GHSA-4m3g-6r7g-jv4f – gradio_pdf

Package

Manager: pip
Name: gradio_pdf
Vulnerable Version: >=0 <0.0.10

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N

EPSS: N/A pctlN/A

Details

Arbitrary JavaScript execution due to using outdated libraries ### Summary gradio-pdf projects with dependencies on the pdf.js library are vulnerable to CVE-2024-4367, which allows arbitrary JavaScript execution. ### PoC 1. Generate a pdf file with a malicious script in the fontmatrix. (This will run `alert(‘XSS’)`.) [poc.pdf](https://github.com/user-attachments/files/15516798/poc.pdf) 2. Run the app. In this PoC, I've used the demo for a simple proof. ![1](https://github.com/freddyaboulton/gradio-pdf/assets/114328108/d1bb7626-3d0f-4984-8873-297658d6e77e) 3. Upload a PDF file containing the script. ![2](https://github.com/freddyaboulton/gradio-pdf/assets/114328108/803d8080-c946-446e-bb34-cf5640e1b4de) 4. Check that the script is running. ![3](https://github.com/freddyaboulton/gradio-pdf/assets/114328108/4956b95f-acca-4bb1-a3c2-7dfc96adf890) ### Impact Malicious scripts can be injected into the code, and when linked with vulnerabilities such as CSRF, it can cause even greater damage. In particular, It can become a source of further attacks, especially when linked to social engineering. ### Mitigation Upgrade the pdf.js to v4.2.67, which removes the vulnerability. (or set the option `isEvalSupported` to `false`.) ### Reference 1. https://codeanlabs.com/blog/research/cve-2024-4367-arbitrary-js-execution-in-pdf-js/ 2. https://github.com/mozilla/pdf.js/pull/18015

Metadata

Created: 2024-06-05T14:15:50Z
Modified: 2024-06-05T14:15:50Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-4m3g-6r7g-jv4f/GHSA-4m3g-6r7g-jv4f.json
CWE IDs: ["CWE-79"]
Alternative ID: N/A
Finding: F008
Auto approve: 1