ghsa-5vgj-ggm4-fg62
Vulnerability from github
Published
2024-06-25 22:23
Modified
2024-07-26 21:36
Severity
Summary
pdoc embeds link to malicious CDN if math mode is enabled
Details
Impact
Documentation generated with pdoc --math
linked to JavaScript files from polyfill.io.
The polyfill.io CDN has been sold and now serves malicious code.
Users who produce documentation with math mode should update immediately. All other users are unaffected.
Patches
This issue has been fixed in pdoc 14.5.1.
References
https://github.com/mitmproxy/pdoc/pull/703 https://sansec.io/research/polyfill-supply-chain-attack
Timeline
- [2024-06-25] https://sansec.io/research/polyfill-supply-chain-attack is published.
- [2024-06-25 20:54 UTC] Issue reported to the pdoc project by @adhintz.
- [2024-06-25 21:33 UTC] Patched version released.
- [2024-06-25 21:37 UTC] Security advisory published.
- [2024-06-25 23:49 UTC] CVE-2024-38526 assigned by GitHub.
{ "affected": [ { "package": { "ecosystem": "PyPI", "name": "pdoc" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "14.5.1" } ], "type": "ECOSYSTEM" } ] } ], "aliases": [ "CVE-2024-38526" ], "database_specific": { "cwe_ids": [], "github_reviewed": true, "github_reviewed_at": "2024-06-25T22:23:30Z", "nvd_published_at": "2024-06-26T00:15:10Z", "severity": "HIGH" }, "details": "### Impact\n\nDocumentation generated with `pdoc --math` linked to JavaScript files from polyfill.io.\nThe polyfill.io CDN has been sold and now serves malicious code.\n\nUsers who produce documentation with math mode should update immediately. All other users are unaffected.\n\n### Patches\n\nThis issue has been fixed in pdoc 14.5.1.\n\n### References\n\nhttps://github.com/mitmproxy/pdoc/pull/703\nhttps://sansec.io/research/polyfill-supply-chain-attack\n\n### Timeline\n\n- **[2024-06-25]** https://sansec.io/research/polyfill-supply-chain-attack is published.\n- **[2024-06-25 20:54 UTC]** Issue reported to the pdoc project by @adhintz.\n- **[2024-06-25 21:33 UTC]** Patched version released.\n- **[2024-06-25 21:37 UTC]** Security advisory published.\n- **[2024-06-25 23:49 UTC]** CVE-2024-38526 assigned by GitHub.", "id": "GHSA-5vgj-ggm4-fg62", "modified": "2024-07-26T21:36:47Z", "published": "2024-06-25T22:23:30Z", "references": [ { "type": "WEB", "url": "https://github.com/mitmproxy/pdoc/security/advisories/GHSA-5vgj-ggm4-fg62" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38526" }, { "type": "WEB", "url": "https://github.com/mitmproxy/pdoc/pull/703" }, { "type": "WEB", "url": "https://github.com/mitmproxy/pdoc/commit/726b8f2e365fe8afeb3604a7c73d19b460395d58" }, { "type": "PACKAGE", "url": "https://github.com/mitmproxy/pdoc" }, { "type": "WEB", "url": "https://sansec.io/research/polyfill-supply-chain-attack" }, { "type": "WEB", "url": "https://www.vicarius.io/vsociety/posts/polyfillio-in-pdoc-cve-2024-38526" } ], "schema_version": "1.4.0", "severity": [ { "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L", "type": "CVSS_V3" } ], "summary": "pdoc embeds link to malicious CDN if math mode is enabled" }
Loading...