Pandoc before 3.1.6 allows arbitrary file write: this can be triggered by providing a crafted image element in the input when generating files via the --extract-media option or outputting to PDF format. This allows an attacker to create or overwrite arbitrary files, depending on the privileges of the process running Pandoc. It only affects systems that pass untrusted user input to Pandoc and allow Pandoc to be used to produce a PDF or with the --extract-media option. NOTE: this issue exists because of an incomplete fix for CVE-2023-35936 (failure to properly account for double encoded path names).
Published 2023-07-25 04:15:11
Updated 2024-03-31 03:15:08
Source MITRE
View at NVD,   CVE.org

Exploit prediction scoring system (EPSS) score for CVE-2023-38745

0.05%
Probability of exploitation activity in the next 30 days EPSS Score History
~ 15 %
Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2023-38745

Base Score Base Severity CVSS Vector Exploitability Score Impact Score Score Source First Seen
6.3
MEDIUM CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H
1.0
5.2
NIST

References for CVE-2023-38745

Products affected by CVE-2023-38745

This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!