PT-2023-13461 · Pdf Info · Pdf Info

Tomtaylor

Published

2023-02-23

Updated

2025-03-13

CVE-2022-36231

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions pdf info version 0.5.3

Description The issue is related to Command Execution. The Ruby code in pdf info uses backticks instead of Open3, which can lead to command execution. An attacker may execute OS commands by using command chaining because during object initialization, there is no validation performed, and the user-provided path is used.

Recommendations For pdf info version 0.5.3, consider updating to a newer version that uses Open3 instead of backticks to prevent command execution. As a temporary workaround, restrict the use of user-provided paths during object initialization to minimize the risk of exploitation.

Exploit

Fix

OS Command Injection

Code Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-78CWE-94

Related Identifiers

CVE-2022-36231

GHSA-9FH3-J99M-F4V7

Affected Products

Pdf Info

PT-2023-13461 · Pdf Info · Pdf Info

CVE-2022-36231

Weakness Enumeration

Related Identifiers

Affected Products

References · 12