Skip to content

CVE-2024-4367 (High) detected in pdfjs-dist-2.2.228.tgz #760

New issue
New issue
Open
Open
CVE-2024-4367 (High) detected in pdfjs-dist-2.2.228.tgz#760
Labels
Mend: dependency security vulnerabilitySecurity vulnerability detected by WhiteSource
@mend-bolt-for-github

Description

@mend-bolt-for-github
mend-bolt-for-github
bot
opened on May 8, 2024

CVE-2024-4367 - High Severity Vulnerability

Vulnerable Library - pdfjs-dist-2.2.228.tgz

Generic build of Mozilla's PDF.js library.

Library home page: https://registry.npmjs.org/pdfjs-dist/-/pdfjs-dist-2.2.228.tgz

Path to dependency file: /spec-main/package.json

Path to vulnerable library: /spec-main/package.json

Dependency Hierarchy:

  • pdfjs-dist-2.2.228.tgz (Vulnerable Library)

Found in HEAD commit: 5da3bcb84e69be57f16313e78dd435a9af067d0d

Found in base branch: master

Vulnerability Details

A type check was missing when handling fonts in PDF.js, which would allow arbitrary JavaScript execution in the PDF.js context. This vulnerability affects Firefox < 126, Firefox ESR < 115.11, and Thunderbird < 115.11.

Publish Date: 2024-05-14

URL: CVE-2024-4367

CVSS 3 Score Details (8.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-wgrm-67xf-hhpq

Release Date: 2024-05-14

Fix Resolution: 4.2.67

Step up your Open Source Security Game with Mend here

Metadata

Metadata

Assignees

No one assigned

    Labels

    Mend: dependency security vulnerabilitySecurity vulnerability detected by WhiteSource

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions