CVE-2024-38526

pdoc provides API Documentation for Python Projects. Documentation generated with `pdoc --math` linked to JavaScript files from polyfill.io. The polyfill.io CDN has been sold and now serves malicious code. This issue has been fixed in pdoc 14.5.1.

CVSS v3 7.2 HIGH

7.2^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact LOW

Scope CHANGED

References

Link	Resource
https://github.com/mitmproxy/pdoc/pull/703
https://github.com/mitmproxy/pdoc/security/advisories/GHSA-5vgj-ggm4-fg62
https://sansec.io/research/polyfill-supply-chain-attack
https://www.vicarius.io/vsociety/posts/polyfillio-in-pdoc-cve-2024-38526

Configurations

No configuration.

History

No history.

Information

Published : 2024-06-26 00:15

Updated : 2024-07-24 17:15

NVD link : CVE-2024-38526

Mitre link : CVE-2024-38526

CVE.ORG link : CVE-2024-38526

JSON object : View

Products Affected

No product.

CWE

No CWE.

7.2 /10