Ruby/pdfkit/0.6.1
Uses wkhtmltopdf to create PDFs using HTML
https://rubygems.org/gems/pdfkit
UNKNOWN
2 Security Vulnerabilities
PDFKit vulnerable to Command Injection
Published date: 2022-09-10T00:00:32Z
CVE: CVE-2022-25765
Links:
- https://nvd.nist.gov/vuln/detail/CVE-2022-25765
- https://github.com/pdfkit/pdfkit/blob/46cdf53ec540da1a1a2e4da979e3e5fe2f92a257/lib/pdfkit/pdfkit.rb%23L55-L58
- https://github.com/pdfkit/pdfkit/blob/master/lib/pdfkit/source.rb%23L44-L50
- https://security.snyk.io/vuln/SNYK-RUBY-PDFKIT-2869795
- https://github.com/advisories/GHSA-rhwx-hjx2-x4qr
- https://github.com/pdfkit/pdfkit/blob/46cdf53ec540da1a1a2e4da979e3e5fe2f92a257/lib/pdfkit/pdfkit.rb#L55-L58
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/pdfkit/CVE-2022-25765.yml
- https://github.com/pdfkit/pdfkit/releases/tag/v0.8.7
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ESWB6SX7HYWQ54UGBGQOZ7G24O6RAOKD/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JFB2BFKH5SUGRKXMY6PWRQNGKZML7GDT/
- https://github.com/pdfkit/pdfkit/issues/517
- https://github.com/pdfkit/pdfkit/pull/519
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/C36GAV3TKM3JXV6UVMLMTTDRCPKSNETQ/
- http://packetstormsecurity.com/files/171746/pdfkit-0.8.7.2-Command-Injection.html
The package pdfkit is vulnerable to Command Injection where the URL is not properly sanitized.
Note: This issue was patched in 0.8.7.2, but the patch was discovered to be ineffective. The updated patch version is 0.8.7.2.
Affected versions:
["0.8.4.3.2", "0.8.4.3.1", "0.8.4.2", "0.8.4.1", "0.8.4", "0.8.3", "0.8.2", "0.8.1", "0.8.0", "0.7.0", "0.6.2", "0.6.1", "0.5.4", "0.5.3", "0.5.2", "0.5.1", "0.5.0", "0.4.6", "0.4.5", "0.4.4", "0.4.3", "0.4.2", "0.4.1", "0.4.0", "0.3.3", "0.3.2", "0.3.1", "0.3.0", "0.2.3", "0.2.2", "0.2.1", "0.2.0", "0.1.1", "0.1.0", "0.8.5", "0.8.6", "0.8.7", "0.8.7.1"]
Secure versions:
[0.8.7.2, 0.8.7.3]
Recommendation:
Update to version 0.8.7.3.
PDFKit vulnerable to Command Injection
Published date: 2022-09-10
CVE: 2022-25765
CVSS V3: 9.8
The package pdfkit from version 0.0.0 through version 0.8.6 is vulnerable to Command Injection where the URL is not properly sanitized.
Affected versions:
["0.8.4.3.2", "0.8.4.3.1", "0.8.4.2", "0.8.4.1", "0.8.4", "0.8.3", "0.8.2", "0.8.1", "0.8.0", "0.7.0", "0.6.2", "0.6.1", "0.5.4", "0.5.3", "0.5.2", "0.5.1", "0.5.0", "0.4.6", "0.4.5", "0.4.4", "0.4.3", "0.4.2", "0.4.1", "0.4.0", "0.3.3", "0.3.2", "0.3.1", "0.3.0", "0.2.3", "0.2.2", "0.2.1", "0.2.0", "0.1.1", "0.1.0", "0.8.5", "0.8.6", "0.8.7", "0.8.7.1"]
Secure versions:
[0.8.7.2, 0.8.7.3]
Recommendation:
Update to version 0.8.7.3.
40 Other Versions
| Version | License | Security | Released | |
|---|---|---|---|---|
| 0.8.7.3 | MIT | 2023-05-30 - 17:15 | 11 months | |
| 0.8.7.2 | MIT | 2022-10-18 - 19:07 | over 1 year | |
| 0.8.7.1 | MIT | 2 | 2022-10-17 - 14:37 | over 1 year |
| 0.8.7 | MIT | 2 | 2022-10-02 - 16:55 | over 1 year |
| 0.8.6 | MIT | 2 | 2022-04-11 - 19:17 | about 2 years |
| 0.8.5 | MIT | 2 | 2021-01-24 - 03:59 | about 3 years |
| 0.8.4.2 | MIT | 2 | 2020-04-01 - 15:58 | about 4 years |
| 0.8.4.1 | MIT | 2 | 2019-02-22 - 23:05 | about 5 years |
| 0.8.4 | MIT | 2 | 2019-02-22 - 00:23 | about 5 years |
| 0.8.3 | MIT | 2 | 2019-02-14 - 15:07 | about 5 years |
| 0.8.2 | UNKNOWN | 2 | 2015-08-26 - 23:02 | over 8 years |
| 0.8.1 | UNKNOWN | 2 | 2015-08-21 - 14:29 | over 8 years |
| 0.8.0 | UNKNOWN | 2 | 2015-07-08 - 17:17 | almost 9 years |
| 0.8.4.3.1 | MIT | 2 | 2020-07-06 - 01:09 | almost 4 years |
| 0.8.4.3.2 | MIT | 2 | 2020-08-16 - 21:51 | over 3 years |
| 0.7.0 | UNKNOWN | 2 | 2015-05-11 - 21:54 | almost 9 years |
| 0.6.2 | UNKNOWN | 2 | 2014-03-20 - 22:54 | about 10 years |
| 0.6.1 | UNKNOWN | 2 | 2014-02-19 - 01:16 | about 10 years |
| 0.5.4 | UNKNOWN | 2 | 2013-06-12 - 18:58 | almost 11 years |
| 0.5.3 | UNKNOWN | 2 | 2013-02-21 - 16:18 | about 11 years |
| 0.5.2 | UNKNOWN | 4 | 2011-07-02 - 17:55 | almost 13 years |
| 0.5.1 | UNKNOWN | 4 | 2011-06-17 - 18:24 | almost 13 years |
| 0.5.0 | UNKNOWN | 4 | 2010-12-27 - 19:55 | over 13 years |
| 0.4.6 | UNKNOWN | 4 | 2010-09-03 - 15:32 | over 13 years |
| 0.4.5 | UNKNOWN | 4 | 2010-08-24 - 19:20 | over 13 years |
| 0.4.4 | UNKNOWN | 4 | 2010-08-20 - 15:31 | over 13 years |
| 0.4.3 | UNKNOWN | 4 | 2010-07-30 - 13:51 | over 13 years |
| 0.4.2 | UNKNOWN | 4 | 2010-07-23 - 13:29 | over 13 years |
| 0.4.1 | UNKNOWN | 4 | 2010-07-19 - 20:56 | over 13 years |
| 0.4.0 | UNKNOWN | 4 | 2010-07-16 - 18:02 | over 13 years |
| 0.3.3 | UNKNOWN | 4 | 2010-06-18 - 14:34 | almost 14 years |
| 0.3.2 | UNKNOWN | 4 | 2010-06-18 - 13:48 | almost 14 years |
| 0.3.1 | UNKNOWN | 4 | 2010-06-15 - 16:27 | almost 14 years |
| 0.3.0 | UNKNOWN | 4 | 2010-06-11 - 15:29 | almost 14 years |
| 0.2.3 | UNKNOWN | 4 | 2010-06-01 - 15:18 | almost 14 years |
| 0.2.2 | UNKNOWN | 4 | 2010-05-24 - 21:11 | almost 14 years |
| 0.2.1 | UNKNOWN | 4 | 2010-05-24 - 20:54 | almost 14 years |
| 0.2.0 | UNKNOWN | 4 | 2010-05-24 - 16:40 | almost 14 years |
| 0.1.1 | UNKNOWN | 4 | 2010-05-24 - 13:07 | almost 14 years |
| 0.1.0 | UNKNOWN | 4 | 2010-05-21 - 19:42 | almost 14 years |