Command injection in pdfinfo - #VU12235
Published: April 26, 2018
Vulnerability identifier: #VU12235
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: N/A
CWE-ID: CWE-77
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Node.js Foundation
Affected software:
pdfinfo
pdfinfo
Detailed vulnerability description
The vulnerability allows a remote attacker to execute arbitrary commands on the target system.
The weakness exists due to insufficient validation of user-supplied input. A remote attacker can cause the module to append the filename parameter to the command on the lines 28, 47 and 72, inject and execute arbitrary commands.
The weakness exists due to insufficient validation of user-supplied input. A remote attacker can cause the module to append the filename parameter to the command on the lines 28, 47 and 72, inject and execute arbitrary commands.
Remediation
Update to version 0.4.1 or later.