CVE-2023-35936
Pandoc Image Element Arbitrary File Write Vulnerability
Description
Pandoc is a Haskell library for converting from one markup format to another, and a command-line tool that uses this library. Starting in version 1.13 and prior to version 3.1.4, Pandoc is susceptible to an arbitrary file write vulnerability, which can be triggered by providing a specially crafted image element in the input when generating files using the `--extract-media` option or outputting to PDF format. This vulnerability allows an attacker to create or overwrite arbitrary files on the system ,depending on the privileges of the process running pandoc. It only affects systems that pass untrusted user input to pandoc and allow pandoc to be used to produce a PDF or with the `--extract-media` option. The fix is to unescape the percent-encoding prior to checking that the resource is not above the working directory, and prior to extracting the extension. Some code for checking that the path is below the working directory was flawed in a similar way and has also been fixed. Note that the `--sandbox` option, which only affects IO done by readers and writers themselves, does not block this vulnerability. The vulnerability is patched in pandoc 3.1.4. As a workaround, audit the pandoc command and disallow PDF output and the `--extract-media` option.
INFO
Published Date :
July 5, 2023, 9:15 p.m.
Last Modified :
Feb. 13, 2025, 5:16 p.m.
Source :
[email protected]
Remotely Exploitable :
No
Impact Score :
4.7
Exploitability Score :
0.8
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2023-35936
.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2023-35936
vulnerability anywhere in the article.
The following table lists the changes that have been made to the
CVE-2023-35936
vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
CVE Modified by [email protected]
Feb. 13, 2025
Action Type Old Value New Value Changed Description Pandoc is a Haskell library for converting from one markup format to another, and a command-line tool that uses this library. Starting in version 1.13 and prior to version 3.1.4, Pandoc is susceptible to an arbitrary file write vulnerability, which can be triggered by providing a specially crafted image element in the input when generating files using the `--extract-media` option or outputting to PDF format. This vulnerability allows an attacker to create or overwrite arbitrary files on the system ,depending on the privileges of the process running pandoc. It only affects systems that pass untrusted user input to pandoc and allow pandoc to be used to produce a PDF or with the `--extract-media` option. The fix is to unescape the percent-encoding prior to checking that the resource is not above the working directory, and prior to extracting the extension. Some code for checking that the path is below the working directory was flawed in a similar way and has also been fixed. Note that the `--sandbox` option, which only affects IO done by readers and writers themselves, does not block this vulnerability. The vulnerability is patched in pandoc 3.1.4. As a workaround, audit the pandoc command and disallow PDF output and the `--extract-media` option. Pandoc is a Haskell library for converting from one markup format to another, and a command-line tool that uses this library. Starting in version 1.13 and prior to version 3.1.4, Pandoc is susceptible to an arbitrary file write vulnerability, which can be triggered by providing a specially crafted image element in the input when generating files using the `--extract-media` option or outputting to PDF format. This vulnerability allows an attacker to create or overwrite arbitrary files on the system ,depending on the privileges of the process running pandoc. It only affects systems that pass untrusted user input to pandoc and allow pandoc to be used to produce a PDF or with the `--extract-media` option. The fix is to unescape the percent-encoding prior to checking that the resource is not above the working directory, and prior to extracting the extension. Some code for checking that the path is below the working directory was flawed in a similar way and has also been fixed. Note that the `--sandbox` option, which only affects IO done by readers and writers themselves, does not block this vulnerability. The vulnerability is patched in pandoc 3.1.4. As a workaround, audit the pandoc command and disallow PDF output and the `--extract-media` option. -
CVE Modified by af854a3a-2127-422b-91ae-364da2661108
Nov. 21, 2024
Action Type Old Value New Value Added Reference https://github.com/jgm/pandoc/security/advisories/GHSA-xj5q-fv23-575g Added Reference https://lists.debian.org/debian-lts-announce/2023/07/msg00029.html Added Reference https://lists.fedoraproject.org/archives/list/[email protected]/message/JGRJHU2FTSGTHHRTNDF7STEKLKKA25JN/ Added Reference https://lists.fedoraproject.org/archives/list/[email protected]/message/LYP3FKDS3KAYMQUZVVL73IUI4CWSKLKP/ Added Reference https://lists.fedoraproject.org/archives/list/[email protected]/message/QI6RBP6ZKVC2OOCV6SU2FUHPMAXDDJFU/ -
CVE Modified by [email protected]
May. 14, 2024
Action Type Old Value New Value -
CVE Modified by [email protected]
Mar. 31, 2024
Action Type Old Value New Value Added Reference GitHub, Inc. https://lists.fedoraproject.org/archives/list/[email protected]/message/LYP3FKDS3KAYMQUZVVL73IUI4CWSKLKP/ [No types assigned] -
CVE Modified by [email protected]
Mar. 30, 2024
Action Type Old Value New Value Added Reference GitHub, Inc. https://lists.fedoraproject.org/archives/list/[email protected]/message/QI6RBP6ZKVC2OOCV6SU2FUHPMAXDDJFU/ [No types assigned] Added Reference GitHub, Inc. https://lists.fedoraproject.org/archives/list/[email protected]/message/JGRJHU2FTSGTHHRTNDF7STEKLKKA25JN/ [No types assigned] -
Modified Analysis by [email protected]
Feb. 01, 2024
Action Type Old Value New Value Changed Reference Type https://github.com/jgm/pandoc/security/advisories/GHSA-xj5q-fv23-575g Vendor Advisory https://github.com/jgm/pandoc/security/advisories/GHSA-xj5q-fv23-575g Exploit, Vendor Advisory Changed Reference Type https://lists.debian.org/debian-lts-announce/2023/07/msg00029.html No Types Assigned https://lists.debian.org/debian-lts-announce/2023/07/msg00029.html Mailing List, Third Party Advisory Added CPE Configuration OR *cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:* -
CVE Modified by [email protected]
Jul. 25, 2023
Action Type Old Value New Value Added Reference https://lists.debian.org/debian-lts-announce/2023/07/msg00029.html [No Types Assigned] -
Initial Analysis by [email protected]
Jul. 12, 2023
Action Type Old Value New Value Added CVSS V3.1 NIST AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:L Changed Reference Type https://github.com/jgm/pandoc/security/advisories/GHSA-xj5q-fv23-575g No Types Assigned https://github.com/jgm/pandoc/security/advisories/GHSA-xj5q-fv23-575g Vendor Advisory Added CWE NIST NVD-CWE-noinfo Added CPE Configuration OR *cpe:2.3:a:pandoc:pandoc:*:*:*:*:*:*:*:* versions from (including) 1.13 up to (excluding) 3.1.4
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2023-35936
is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2023-35936
weaknesses.
Exploit Prediction
EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days.
0.08 }} -0.02%
score
0.38131
percentile