Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-frp9-2v6r-gj97: muhammara and hummus vulnerable to null pointer dereference on bad response object

Impact

The package muhammara before 2.6.0; all versions of package hummus are vulnerable to Denial of Service (DoS) when supplied with a maliciously crafted PDF file to be appended to another.

Patches

It has been patched in 2.6.0 for muhammara and not at all for hummus

Workarounds

Do not process files from untrusted sources

References

PR: https://github.com/julianhille/MuhammaraJS/pull/194 Issue: https://github.com/julianhille/MuhammaraJS/issues/191 Issue in hummus: https://github.com/galkahana/HummusJS/issues/293

Outline differences to https://nvd.nist.gov/vuln/detail/CVE-2022-25892

The difference is one is in src/deps/PDFWriter/PDFParser.cpp and the other is PDFDocumentHandler.cpp both is a null pointer but for different cases

ghsa
Open in Source
#dos#js#git#pdf

muhammara and hummus vulnerable to null pointer dereference on bad response object

High severity GitHub Reviewed Published Nov 1, 2022 • Updated Nov 1, 2022

Related news

CVE-2022-25885: electron crash, needs at least input validation for pdfstreamresponse · Issue #439 · galkahana/HummusJS

The package muhammara before 2.6.0; all versions of package hummus are vulnerable to Denial of Service (DoS) when PDFStreamForResponse() is used with invalid data.

ghsa: Latest News

GHSA-8fh4-942r-jf2g: LibreNMS has a Stored XSS ('Cross-site Scripting') in librenms/includes/html/pages/device/services.inc.php
ghsa