CVE-2022-41957

Muhammara is a node module with c/cpp bindings to modify PDF with JavaScript for node or electron. The package muhammara before 2.6.2 and from 3.0.0 and before 3.3.0, as well as all versions of muhammara's predecessor package hummus, are vulnerable to Denial of Service (DoS) when supplied with a maliciously crafted PDF file to be parsed. The issue has been patched in muhammara version 3.4.0 and the fix has been backported to version 2.6.2. As a workaround, do not process files from untrusted sources. If using hummus, replace the package with muhammara.

CVSS v3.0 7.5 HIGH

7.5^/10

CVSS v3.0 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/julianhille/MuhammaraJS/pull/235	Issue Tracking Patch Third Party Advisory
https://github.com/julianhille/MuhammaraJS/security/advisories/GHSA-2r7v-cmch-5x26	Third Party Advisory
https://github.com/julianhille/MuhammaraJS/pull/238	Issue Tracking Patch Third Party Advisory

Advertisement

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:muhammara_project:muhammara::::::node.js::*
	cpe:2.3:a:muhammara_project:muhammara::::::node.js::*

Configuration 2 (hide)

cpe:2.3:a:hummus_project:hummus:*:*:*:*:*:node.js:*:*

Information

Published : 2022-11-28 07:15

Updated : 2022-12-01 12:37

NVD link : CVE-2022-41957

Mitre link : CVE-2022-41957

JSON object : View

CWE

CWE-690

Unchecked Return Value to NULL Pointer Dereference

Advertisement

Products Affected

hummus_project

hummus

muhammara_project

muhammara

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "https://github.com/julianhille/MuhammaraJS/pull/235", "name": "https://github.com/julianhille/MuhammaraJS/pull/235", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "refsource": "MISC"}, {"url": "https://github.com/julianhille/MuhammaraJS/security/advisories/GHSA-2r7v-cmch-5x26", "name": "https://github.com/julianhille/MuhammaraJS/security/advisories/GHSA-2r7v-cmch-5x26", "tags": ["Third Party Advisory"], "refsource": "CONFIRM"}, {"url": "https://github.com/julianhille/MuhammaraJS/pull/238", "name": "https://github.com/julianhille/MuhammaraJS/pull/238", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "refsource": "MISC"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "Muhammara is a node module with c/cpp bindings to modify PDF with JavaScript for node or electron. The package muhammara before 2.6.2 and from 3.0.0 and before 3.3.0, as well as all versions of muhammara's predecessor package hummus, are vulnerable to Denial of Service (DoS) when supplied with a maliciously crafted PDF file to be parsed. The issue has been patched in muhammara version 3.4.0 and the fix has been backported to version 2.6.2. As a workaround, do not process files from untrusted sources. If using hummus, replace the package with muhammara."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-690"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2022-41957", "ASSIGNER": "security-advisories@github.com"}}, "impact": {"baseMetricV3": {"cvssV3": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}}, "publishedDate": "2022-11-28T15:15Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:muhammara_project:muhammara:*:*:*:*:*:node.js:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "2.6.2"}, {"cpe23Uri": "cpe:2.3:a:muhammara_project:muhammara:*:*:*:*:*:node.js:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "3.3.0", "versionStartIncluding": "3.0.0"}]}, {"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:hummus_project:hummus:*:*:*:*:*:node.js:*:*", "cpe_name": [], "vulnerable": true}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2022-12-01T20:37Z"}