EIQ-2019-0036


ID

EIQ-2019-0036

CVE

CVE-2018-5158

Description

A crafted PDF file could allow malicious JavaScript injection

Date

26 Sep 2019

Severity

3 - HIGH

CVSSv3 score

8.8

Status

images/s/-u524h5/8501/61630d2d4f75946459caa0b3dbdac9bd6d7a7de4/_/images/icons/emoticons/check.svg 2.6.0

Assessment

The vulnerability affects pdfjs-dist version 2.0.305. a sub-dependency of react-pdf version 3.0.6.

The PDF viewer does not sufficiently sanitize PostScript calculator functions, allowing malicious JavaScript to be injected through a crafted PDF file.
To reproduce the vulnerability scenario, we used a test PDF downloaded from Mozilla. However, it was not possible to replicate the issue in EclecticIQ Platform.

We test direct dependencies by scanning fixed builds, and then by checking the corresponding vulnerability reports to verify that they no longer include the addressed vulnerabilities.
At the moment, there is no way to reliably test indirect dependencies.

Mitigation

To mitigate the vulnerability, upgrade to react-pdf to version 4.0.0 or later.
This action upgrades also the vulnerable sub-dependency.

Affected versions

2.5.0 and earlier.

Notes

For more information, see:

< Back to all security issues and mitigation actions

In release notes 2.5.0

In release notes 2.6.0