Attacker Value

Unknown

(0 users assessed)

Exploitability

Unknown

(0 users assessed)

User Interaction

CVE-2023-35936

Disclosure Date: July 05, 2023 •

CVE-2023-35936 CVSS v3 Base Score: 5.0

MITRE ATT&CK

Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

Pandoc is a Haskell library for converting from one markup format to another, and a command-line tool that uses this library. Starting in version 1.13 and prior to version 3.1.4, Pandoc is susceptible to an arbitrary file write vulnerability, which can be triggered by providing a specially crafted image element in the input when generating files using the --extract-media option or outputting to PDF format. This vulnerability allows an attacker to create or overwrite arbitrary files on the system ,depending on the privileges of the process running pandoc. It only affects systems that pass untrusted user input to pandoc and allow pandoc to be used to produce a PDF or with the --extract-media option.

The fix is to unescape the percent-encoding prior to checking that the resource is not above the working directory, and prior to extracting the extension. Some code for checking that the path is below the working directory was flawed in a similar way and has also been fixed. Note that the --sandbox option, which only affects IO done by readers and writers themselves, does not block this vulnerability. The vulnerability is patched in pandoc 3.1.4. As a workaround, audit the pandoc command and disallow PDF output and the --extract-media option.

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

5.0 Medium

Impact Score:

4.2

Exploitability Score:

0.8

Vector:

CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:L

Attack Vector (AV):

Local

Attack Complexity (AC):

High

Privileges Required (PR):

Low

User Interaction (UI):

Required

Scope (S):

Unchanged

Confidentiality (C):

None

Integrity (I):

High

Availability (A):

Low

Vendors

debian,
pandoc

Products

debian linux 10.0,
pandoc

References

Canonical

CVE-2023-35936 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-35936)

Miscellaneous

https://github.com/jgm/pandoc/security/advisories/GHSA-xj5q-fv23-575g

https://lists.debian.org/debian-lts-announce/2023/07/msg00029.html

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QI6RBP6ZKVC2OOCV6SU2FUHPMAXDDJFU/

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JGRJHU2FTSGTHHRTNDF7STEKLKKA25JN/

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYP3FKDS3KAYMQUZVVL73IUI4CWSKLKP/

Rapid7

Unknown

CVE-2023-35936

Unknown

Unknown

Required

Low

Local

CVE-2023-35936

Description

Add Assessment

CVSS V3 Severity and Metrics

General Information

Vendors

Products

References

Canonical

Miscellaneous

Additional Info

Technical Analysis

Unknown

CVE-2023-35936

Unknown

Unknown

Required

Low

Local

CVE-2023-35936

Description

Add Assessment

CVSS V3 Severity and Metrics

General Information

Vendors

Products

References

Canonical

Miscellaneous

Additional Info

Technical Analysis

Quick Cookie Notification