CVE-2023-38745 — Improper Input Validation in Pandoc

CWE-20 — Improper Input Validation5 documents5 sources

Severity

6.3MEDIUMNVD

OSV5.0

EPSS

0.0%

top 86.08%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Pandoc Debian Linux Debian Pandoc

Timeline

PublishedJul 25

Description

Pandoc before 3.1.6 allows arbitrary file write: this can be triggered by providing a crafted image element in the input when generating files via the --extract-media option or outputting to PDF format. This allows an attacker to create or overwrite arbitrary files, depending on the privileges of the process running Pandoc. It only affects systems that pass untrusted user input to Pandoc and allow Pandoc to be used to produce a PDF or with the --extract-media option. NOTE: this issue exists beca…

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:HExploitability: 1.0 | Impact: 5.2

Affected Packages2 packages

▶NVDpandoc/pandoc< 3.1.6

▶debiandebian/pandoc

Also affects: Debian Linux 10.0

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

CVE-2023-38745: Pandoc before 3↗2023-07-25

▶

GHSA

GHSA-9hpj-m9v9-5wvw: Pandoc before 3↗2023-07-25

▶

📋Vendor Advisories

Red Hat

pandoc: allows attacker to create or overwrite arbitrary files on the system (incomplete fix in upstream for CVE-2023-35936)↗2023-07-25

▶

Debian

CVE-2023-38745: pandoc - Pandoc before 3.1.6 allows arbitrary file write: this can be triggered by provid...↗2023

▶