CVE Vulnerability

CVE-2022-41957

Muhammara is a node module with c/cpp bindings to modify PDF with JavaScript for node or electron. The package muhammara before 2.6.2 and from 3.0.0 and before 3.3.0, as well as all versions of muhammara's predecessor package hummus, are vulnerable to Denial of Service (DoS) when supplied with a maliciously crafted PDF file to be parsed. The issue has been patched in muhammara version 3.4.0 and the fix has been backported to version 2.6.2. As a workaround, do not process files from untrusted sources. If using hummus, replace the package with muhammara.

7.5 /10

CVSS v3.0 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://github.com/julianhille/MuhammaraJS/pull/235 Issue Tracking Patch
https://github.com/julianhille/MuhammaraJS/security/advisories/GHSA-2r7v-cmch-5x26 Third Party Advisory
https://github.com/julianhille/MuhammaraJS/pull/238 Issue Tracking Patch
Configurations

Configuration 1

cpe:2.3:a:muhammara_project:muhammara:*:*:*:*:*:node.js:*:*
cpe:2.3:a:muhammara_project:muhammara:*:*:*:*:*:node.js:*:*
cpe:2.3:a:hummus_project:hummus:*:*:*:*:*:node.js:*:*
Information

Published : 2022-11-28 03:15

Updated : 2022-12-01 08:37

NVD link : CVE-2022-41957

Mitre link : CVE-2022-41957

Products Affected
No products.
CWE
CWE-690

Unchecked Return Value to NULL Pointer Dereference