CVE-2022-36231: Code injection in pdf_info
(updated )
pdf_info 0.5.3 is vulnerable to Command Execution. An attacker using a specially crafted payload may execute OS commands by using command chaining because during object initalization there is no validation performed and the user provided path is used.
References
- github.com/advisories/GHSA-9fh3-j99m-f4v7
- github.com/affix/CVE-2022-36231
- github.com/newspaperclub/pdf_info
- github.com/newspaperclub/pdf_info/issues/16
- github.com/newspaperclub/pdf_info/pull/15
- github.com/rubysec/ruby-advisory-db/blob/master/gems/pdf_info/CVE-2022-36231.yml
- nvd.nist.gov/vuln/detail/CVE-2022-36231
- rubygems.org/gems/pdf_info
Detect and mitigate CVE-2022-36231 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →