CVE-2023-35936 — Improper Input Validation in Pandoc
Severity
6.3MEDIUMNVD
NVD5.0OSV5.0
EPSS
0.0%
top 89.43%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedJul 5
Latest updateNov 14
Description
Pandoc is a Haskell library for converting from one markup format to another, and a command-line tool that uses this library. Starting in version 1.13 and prior to version 3.1.4, Pandoc is susceptible to an arbitrary file write vulnerability, which can be triggered by providing a specially crafted image element in the input when generating files using the `--extract-media` option or outputting to PDF format. This vulnerability allows an attacker to create or overwrite arbitrary files on the syst…
CVSS vector
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:LExploitability: 0.8 | Impact: 4.2
Affected Packages5 packages
Also affects: Debian Linux 10.0
🔴Vulnerability Details
4📋Vendor Advisories
4Red Hat▶
pandoc: allows attacker to create or overwrite arbitrary files on the system (incomplete fix in upstream for CVE-2023-35936)↗2023-07-25
Debian▶
CVE-2023-38745: pandoc - Pandoc before 3.1.6 allows arbitrary file write: this can be triggered by provid...↗2023
Debian▶
CVE-2023-35936: haskell-pandoc - Pandoc is a Haskell library for converting from one markup format to another, an...↗2023