CVE-2023-35936
published 2023-07-05CVE-2023-35936: Pandoc is a Haskell library for converting from one markup format to another, and a command-line tool that uses this library. Starting in version 1.13 and…
PriorityP428medium5CVSS 3.1
AVLACHPRLUIRSUCNIHAL
EPSS
0.35%
26.8th percentile
Pandoc is a Haskell library for converting from one markup format to another, and a command-line tool that uses this library. Starting in version 1.13 and prior to version 3.1.4, Pandoc is susceptible to an arbitrary file write vulnerability, which can be triggered by providing a specially crafted image element in the input when generating files using the `--extract-media` option or outputting to PDF format. This vulnerability allows an attacker to create or overwrite arbitrary files on the system ,depending on the privileges of the process running pandoc. It only affects systems that pass untrusted user input to pandoc and allow pandoc to be used to produce a PDF or with the `--extract-media` option.
The fix is to unescape the percent-encoding prior to checking that the resource is not above the working directory, and prior to extracting the extension. Some code for checking that the path is below the working directory was flawed in a similar way and has also been fixed. Note that the `--sandbox` option, which only affects IO done by readers and writers themselves, does not block this vulnerability. The vulnerability is patched in pandoc 3.1.4. As a workaround, audit the pandoc command and disallow PDF output and the `--extract-media` option.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | haskell-pandoc | < haskell-pandoc 3.0.1-2 (forky) | haskell-pandoc 3.0.1-2 (forky) |
| debian | pandoc | < haskell-pandoc 3.0.1-2 (forky) | haskell-pandoc 3.0.1-2 (forky) |
| debian | pandoc | — | — |
| pandoc | pandoc | < 3.1.6 | 3.1.6 |
| pandoc | pandoc | >= 0 < 2.9.2.1-1+deb11u1 | 2.9.2.1-1+deb11u1 |
| pandoc | pandoc | >= 0 < 2.17.1.1-2~deb12u1 | 2.17.1.1-2~deb12u1 |
| pandoc | pandoc | >= 0 < 2.17.1.1-2 | 2.17.1.1-2 |
| pandoc | pandoc | >= 0 < 2.17.1.1-2 | 2.17.1.1-2 |
| pandoc | pandoc | >= 1.13 < 3.1.4 | 3.1.4 |
| pandoc | pandoc | >= 1.13 < 3.1.4 | 3.1.4 |
CVSS provenance
nvdv3.15.0MEDIUMCVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:L
osv5.0MEDIUM
vendor_debian6.1MEDIUM
vendor_redhat6.1MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
pandoc: allows attacker to create or overwrite arbitrary files on the system (incomplete fix in upstream for CVE-2023-35936)
vendor_redhat·2023-07-25·CVSS 6.1
CVE-2023-38745 [MEDIUM] CWE-20 pandoc: allows attacker to create or overwrite arbitrary files on the system (incomplete fix in upstream for CVE-2023-35936)
pandoc: allows attacker to create or overwrite arbitrary files on the system (incomplete fix in upstream for CVE-2023-35936)
Pandoc before 3.1.6 allows arbitrary file write: this can be triggered by providing a crafted image element in the input when generating files via the --extract-media option or outputting to PDF format. This allows an attacker to create or overwrite arbitrary files, depending on the privileges of the process running Pandoc. It only affects systems that pass untrusted user input to Pandoc and allow Pandoc to be used to produce a PDF or with the --extract-media option. NOTE: this issue exists because of an incomplete fix for CVE-2023-35936 (failure to properly account for double encoded path names).
An arbitrary file write vulnerability was found in Haskell's Pandoc.
Red Hat
pandoc: allows attacker to create or overwrite arbitrary files on the system
vendor_redhat·2023-07-06·CVSS 6.1
CVE-2023-35936 [MEDIUM] CWE-20 pandoc: allows attacker to create or overwrite arbitrary files on the system
pandoc: allows attacker to create or overwrite arbitrary files on the system
Pandoc is a Haskell library for converting from one markup format to another, and a command-line tool that uses this library. Starting in version 1.13 and prior to version 3.1.4, Pandoc is susceptible to an arbitrary file write vulnerability, which can be triggered by providing a specially crafted image element in the input when generating files using the `--extract-media` option or outputting to PDF format. This vulnerability allows an attacker to create or overwrite arbitrary files on the system ,depending on the privileges of the process running pandoc. It only affects systems that pass untrusted user input to pandoc and allow pandoc to be used to produce a PDF or with the `--extract-media` option.
The fix is
Debian
CVE-2023-38745: pandoc - Pandoc before 3.1.6 allows arbitrary file write: this can be triggered by provid...
vendor_debian·2023·CVSS 6.1
CVE-2023-38745 [MEDIUM] CVE-2023-38745: pandoc - Pandoc before 3.1.6 allows arbitrary file write: this can be triggered by provid...
Pandoc before 3.1.6 allows arbitrary file write: this can be triggered by providing a crafted image element in the input when generating files via the --extract-media option or outputting to PDF format. This allows an attacker to create or overwrite arbitrary files, depending on the privileges of the process running Pandoc. It only affects systems that pass untrusted user input to Pandoc and allow Pandoc to be used to produce a PDF or with the --extract-media option. NOTE: this issue exists because of an incomplete fix for CVE-2023-35936 (failure to properly account for double encoded path names).
Scope: local
bookworm: resolved
bullseye: resolved
forky: resolved
sid: resolved
trixie: resolved
Debian
CVE-2023-35936: haskell-pandoc - Pandoc is a Haskell library for converting from one markup format to another, an...
vendor_debian·2023·CVSS 6.1
CVE-2023-35936 [MEDIUM] CVE-2023-35936: haskell-pandoc - Pandoc is a Haskell library for converting from one markup format to another, an...
Pandoc is a Haskell library for converting from one markup format to another, and a command-line tool that uses this library. Starting in version 1.13 and prior to version 3.1.4, Pandoc is susceptible to an arbitrary file write vulnerability, which can be triggered by providing a specially crafted image element in the input when generating files using the `--extract-media` option or outputting to PDF format. This vulnerability allows an attacker to create or overwrite arbitrary files on the system ,depending on the privileges of the process running pandoc. It only affects systems that pass untrusted user input to pandoc and allow pandoc to be used to produce a PDF or with the `--extract-media` option. The fix is to unescape the percent-encoding prior to checking that the resource is not ab
OSV
Arbitrary file write is possible when using PDF output or --extract-media with untrusted input
osv·2025-11-14
CVE-2023-35936 Arbitrary file write is possible when using PDF output or --extract-media with untrusted input
Arbitrary file write is possible when using PDF output or --extract-media with untrusted input
# Arbitrary file write is possible when using PDF output or --extract-media with untrusted input
Pandoc is susceptible to an arbitrary file write vulnerability, which can be triggered by providing a specially crafted image element in the input when generating files using the --extract-media option or outputting to PDF format. This vulnerability allows an attacker to create or overwrite arbitrary files on the system (depending on the privileges of the process running pandoc).
This vulnerability only affects systems that (a) pass untrusted user input to pandoc and (b) allow pandoc to be used to produce a PDF or with the --extract-media option.
The vulnerability is patched in pandoc 3.1.4.
OSV
CVE-2023-38745: Pandoc before 3
osv·2023-07-25·CVSS 5.0
CVE-2023-38745 [MEDIUM] CVE-2023-38745: Pandoc before 3
Pandoc before 3.1.6 allows arbitrary file write: this can be triggered by providing a crafted image element in the input when generating files via the --extract-media option or outputting to PDF format. This allows an attacker to create or overwrite arbitrary files, depending on the privileges of the process running Pandoc. It only affects systems that pass untrusted user input to Pandoc and allow Pandoc to be used to produce a PDF or with the --extract-media option. NOTE: this issue exists because of an incomplete fix for CVE-2023-35936 (failure to properly account for double encoded path names).
GHSA
GHSA-9hpj-m9v9-5wvw: Pandoc before 3
ghsa_unreviewed·2023-07-25·CVSS 6.1
CVE-2023-38745 [MEDIUM] GHSA-9hpj-m9v9-5wvw: Pandoc before 3
Pandoc before 3.1.6 allows arbitrary file write: this can be triggered by providing a crafted image element in the input when generating files via the --extract-media option or outputting to PDF format. This allows an attacker to create or overwrite arbitrary files, depending on the privileges of the process running Pandoc. It only affects systems that pass untrusted user input to Pandoc and allow Pandoc to be used to produce a PDF or with the --extract-media option. NOTE: this issue exists because of an incomplete fix for CVE-2023-35936 (failure to properly account for double encoded path names).
OSV
CVE-2023-35936: Pandoc is a Haskell library for converting from one markup format to another, and a command-line tool that uses this library
osv·2023-07-05·CVSS 5.0
CVE-2023-35936 [MEDIUM] CVE-2023-35936: Pandoc is a Haskell library for converting from one markup format to another, and a command-line tool that uses this library
Pandoc is a Haskell library for converting from one markup format to another, and a command-line tool that uses this library. Starting in version 1.13 and prior to version 3.1.4, Pandoc is susceptible to an arbitrary file write vulnerability, which can be triggered by providing a specially crafted image element in the input when generating files using the `--extract-media` option or outputting to PDF format. This vulnerability allows an attacker to create or overwrite arbitrary files on the system ,depending on the privileges of the process running pandoc. It only affects systems that pass untrusted user input to pandoc and allow pandoc to be used to produce a PDF or with the `--extract-media` option. The fix is to unescape the percent-encoding prior to checking that the resource is not ab
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/jgm/pandoc/security/advisories/GHSA-xj5q-fv23-575ghttps://lists.debian.org/debian-lts-announce/2023/07/msg00029.htmlhttps://lists.fedoraproject.org/archives/list/[email protected]/message/JGRJHU2FTSGTHHRTNDF7STEKLKKA25JN/https://lists.fedoraproject.org/archives/list/[email protected]/message/LYP3FKDS3KAYMQUZVVL73IUI4CWSKLKP/https://lists.fedoraproject.org/archives/list/[email protected]/message/QI6RBP6ZKVC2OOCV6SU2FUHPMAXDDJFU/https://github.com/jgm/pandoc/security/advisories/GHSA-xj5q-fv23-575ghttps://lists.debian.org/debian-lts-announce/2023/07/msg00029.htmlhttps://lists.fedoraproject.org/archives/list/[email protected]/message/JGRJHU2FTSGTHHRTNDF7STEKLKKA25JN/https://lists.fedoraproject.org/archives/list/[email protected]/message/LYP3FKDS3KAYMQUZVVL73IUI4CWSKLKP/https://lists.fedoraproject.org/archives/list/[email protected]/message/QI6RBP6ZKVC2OOCV6SU2FUHPMAXDDJFU/
2023-07-05
Published