CVE-2022-25765: Command Injection
First published: Fri Sep 09 2022(Updated: )
The package pdfkit from 0.0.0 are vulnerable to Command Injection where the URL is not properly sanitized.
Credit: report@snyk.io
| Affected Software | Affected Version | How to fix |
|---|---|---|
| rubygems/pdfkit | <0.8.7.2 | 0.8.7.2 |
| Pdfkit | >=0.0.0 | |
| Fedora | =35 | |
| Fedora | =36 | |
| Fedora | =37 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2022-25765
- https://github.com/pdfkit/pdfkit/blob/46cdf53ec540da1a1a2e4da979e3e5fe2f92a257/lib/pdfkit/pdfkit.rb%23L55-L58
- https://github.com/pdfkit/pdfkit/blob/master/lib/pdfkit/source.rb%23L44-L50
- https://security.snyk.io/vuln/SNYK-RUBY-PDFKIT-2869795
- https://github.com/pdfkit/pdfkit/blob/46cdf53ec540da1a1a2e4da979e3e5fe2f92a257/lib/pdfkit/pdfkit.rb#L55-L58
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/pdfkit/CVE-2022-25765.yml
- https://github.com/pdfkit/pdfkit/releases/tag/v0.8.7
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ESWB6SX7HYWQ54UGBGQOZ7G24O6RAOKD/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JFB2BFKH5SUGRKXMY6PWRQNGKZML7GDT/
- https://github.com/pdfkit/pdfkit/issues/517
- https://github.com/pdfkit/pdfkit/pull/519
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/C36GAV3TKM3JXV6UVMLMTTDRCPKSNETQ/
- http://packetstormsecurity.com/files/171746/pdfkit-0.8.7.2-Command-Injection.html
- https://github.com/advisories/GHSA-rhwx-hjx2-x4qr (Advisory)
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JFB2BFKH5SUGRKXMY6PWRQNGKZML7GDT/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ESWB6SX7HYWQ54UGBGQOZ7G24O6RAOKD/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/C36GAV3TKM3JXV6UVMLMTTDRCPKSNETQ/
- collector/github-advisory-latest
- alias/GHSA-rhwx-hjx2-x4qr
- alias/CVE-2022-25765
- collector/github-advisory
- agent/type
- agent/weakness
- agent/severity
- agent/references
- agent/author
- agent/title
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/first-publish-date
- agent/event
- agent/trending
- agent/source
- agent/tags
- agent/softwarecombine
- collector/nvd-index
- agent/software-canonical-lookup-request
- package-manager/rubygems
- vendor/pdfkit project
- canonical/pdfkit
- version/pdfkit/0.0.0
- vendor/fedoraproject
- canonical/fedora
- version/fedora/35
- version/fedora/36
- version/fedora/37