diff --git a/headless/2024/CVE-2024-38526.yaml b/headless/2024/CVE-2024-38526.yaml index 445d1debf4..53ebf0d9b0 100644 --- a/headless/2024/CVE-2024-38526.yaml +++ b/headless/2024/CVE-2024-38526.yaml @@ -1,21 +1,28 @@ id: CVE-2024-38526 info: - name: CVE-2024-38526 - Untrusted 3rd party + name: Polyfill Supply Chain Attack Malicious Code Execution author: abut0n severity: high description: | - The polyfill.js is a popular open source library to support older browsers. 100K+ sites embed it using the cdn.polyfill.io. However, in February of 2024, a Chinese company bought the domain and the Github account. Since then, this domain was caught injecting malware on mobile devices via any site that embeds cdn.polyfill.io + pdoc provides API Documentation for Python Projects. Documentation generated with `pdoc --math` linked to JavaScript files from polyfill.io impact: | - The new Chinese owner of the popular Polyfill JS project injects malware into more than 100 thousand sites. + The polyfill.io CDN has been sold and now serves malicious code. remediation: | - Remove the dependecy. + This issue has been fixed in pdoc 14.5.1. reference: - https://sansec.io/research/polyfill-supply-chain-attack - https://nvd.nist.gov/vuln/detail/CVE-2024-38526 - https://x.com/triblondon/status/1761852117579427975 - tags: CVE,CVE-2024-38526,headless,supply-chain - + - https://github.com/mitmproxy/pdoc/pull/703 + - https://github.com/mitmproxy/pdoc/security/advisories/GHSA-5vgj-ggm4-fg62 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L + cvss-score: 7.2 + cve-id: CVE-2024-38526 + epss-score: 0.00045 + epss-percentile: 0.16001 + tags: cve,cve2024,supply-chain,polyfill headless: - steps: - args: @@ -44,7 +51,6 @@ headless: - type: word words: - "polyfill.io" - # More domains that have been used by the same actor to spread malware since at least June 2023: bootcdn.net, bootcss.com, staticfile.net, staticfile.org, unionadjs.com, xhsbpza.com, union.macoms.la, newcrbpc.com. - "bootcdn.net" - "bootcss.com" - "staticfile.net"