CVE-2022-36231 (pdf_info): Code injection in pdf_info

Code injection in pdf_info

Published: February 24, 2023

SECURITY IDENTIFIERS

CVE: CVE-2022-36231 (NVD)
GHSA: GHSA-9fh3-j99m-f4v7
Vendor Advisory: https://github.com/affix/CVE-2022-36231

GEM

pdf_info

SEVERITY

CVSS v3.x: 9.8 (Critical)

PATCHED VERSIONS

None available.

DESCRIPTION

pdf_info 0.5.3 is vulnerable to Command Execution. An attacker using a specially crafted payload may execute OS commands by using command chaining because during object initalization there is no validation performed and the user provided path is used.

https://github.com/newspaperclub/pdf_info/issues/16
https://github.com/newspaperclub/pdf_info/pull/15

RubySec