CVE-2022-39381 : Muhammara is a node module with c/cpp bindings to modify PDF with js for node or

Muhammara is a node module with c/cpp bindings to modify PDF with js for node or electron (based/replacement on/of galkhana/hummusjs). The package muhammara before 2.6.0; all versions of package hummus are vulnerable to Denial of Service (DoS) when supplied with a maliciously crafted PDF file to be appended to another. This issue has been patched in 2.6.0 for muhammara and not at all for hummus. As a workaround, do not process files from untrusted sources.

Published 2022-11-02 15:15:11

Updated 2022-11-04 02:42:02

Source GitHub, Inc.

View at NVD, CVE.org

Vulnerability category: Denial of service

Products affected by CVE-2022-39381

Pdfhummus » Hummusjs » For Node.js
Versions before (<) 1.0.111
cpe:2.3:a:pdfhummus:hummusjs:*:*:*:*:*:node.js:*:*
Matching versions
Muhammarajs Project » Muhammarajs » For Node.js
Versions up to, including, (<=) 2.6.0
cpe:2.3:a:muhammarajs_project:muhammarajs:*:*:*:*:*:node.js:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2022-39381

EPSS FAQ

0.06%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 15 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2022-39381

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
5.5	MEDIUM	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H	1.8	3.6	NIST
Attack Vector: Local Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: None Integrity: None Availability: High
7.5	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H	3.9	3.6	GitHub, Inc.
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: None Availability: High

CWE ids for CVE-2022-39381

CWE-476 NULL Pointer Dereference

The product dereferences a pointer that it expects to be valid but is NULL.

Assigned by: nvd@nist.gov (Primary)
CWE-690 Unchecked Return Value to NULL Pointer Dereference

The product does not check for an error after calling a function that can return with a NULL pointer if the function fails, which leads to a resultant NULL pointer dereference.

Assigned by: security-advisories@github.com (Secondary)

References for CVE-2022-39381

https://github.com/julianhille/MuhammaraJS/security/advisories/GHSA-rcrx-fpjp-mfrw

Unchecked Return Value to NULL Pointer Dereference in PDFDocumentHandler.cpp · Advisory · julianhille/MuhammaraJS · GitHub
Third Party Advisory
https://github.com/julianhille/MuhammaraJS/issues/191

segmentation fault for specific file when appending to another · Issue #191 · julianhille/MuhammaraJS · GitHub
Issue Tracking;Third Party Advisory
https://github.com/julianhille/MuhammaraJS/pull/194

Fix append pages when stream is not readable by julianhille · Pull Request #194 · julianhille/MuhammaraJS · GitHub
Patch;Third Party Advisory
https://github.com/galkahana/HummusJS/issues/293

Hummus exception causes Node.js crashing · Issue #293 · galkahana/HummusJS · GitHub
Exploit;Issue Tracking;Third Party Advisory

Jump to

Vulnerability Details : CVE-2022-39381

Products affected by CVE-2022-39381

Exploit prediction scoring system (EPSS) score for CVE-2022-39381

CVSS scores for CVE-2022-39381

CWE ids for CVE-2022-39381

References for CVE-2022-39381