minor-update

main
Dhiyaneshwaran 2024-07-18 11:38:58 +05:30 committed by GitHub
parent e268102246
commit bb2cb430c0
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 13 additions and 7 deletions

View File

@ -1,21 +1,28 @@
id: CVE-2024-38526 id: CVE-2024-38526
info: info:
name: CVE-2024-38526 - Untrusted 3rd party name: Polyfill Supply Chain Attack Malicious Code Execution
author: abut0n author: abut0n
severity: high severity: high
description: | description: |
The polyfill.js is a popular open source library to support older browsers. 100K+ sites embed it using the cdn.polyfill.io. However, in February of 2024, a Chinese company bought the domain and the Github account. Since then, this domain was caught injecting malware on mobile devices via any site that embeds cdn.polyfill.io pdoc provides API Documentation for Python Projects. Documentation generated with `pdoc --math` linked to JavaScript files from polyfill.io
impact: | impact: |
The new Chinese owner of the popular Polyfill JS project injects malware into more than 100 thousand sites. The polyfill.io CDN has been sold and now serves malicious code.
remediation: | remediation: |
Remove the dependecy. This issue has been fixed in pdoc 14.5.1.
reference: reference:
- https://sansec.io/research/polyfill-supply-chain-attack - https://sansec.io/research/polyfill-supply-chain-attack
- https://nvd.nist.gov/vuln/detail/CVE-2024-38526 - https://nvd.nist.gov/vuln/detail/CVE-2024-38526
- https://x.com/triblondon/status/1761852117579427975 - https://x.com/triblondon/status/1761852117579427975
tags: CVE,CVE-2024-38526,headless,supply-chain - https://github.com/mitmproxy/pdoc/pull/703
- https://github.com/mitmproxy/pdoc/security/advisories/GHSA-5vgj-ggm4-fg62
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L
cvss-score: 7.2
cve-id: CVE-2024-38526
epss-score: 0.00045
epss-percentile: 0.16001
tags: cve,cve2024,supply-chain,polyfill
headless: headless:
- steps: - steps:
- args: - args:
@ -44,7 +51,6 @@ headless:
- type: word - type: word
words: words:
- "polyfill.io" - "polyfill.io"
# More domains that have been used by the same actor to spread malware since at least June 2023: bootcdn.net, bootcss.com, staticfile.net, staticfile.org, unionadjs.com, xhsbpza.com, union.macoms.la, newcrbpc.com.
- "bootcdn.net" - "bootcdn.net"
- "bootcss.com" - "bootcss.com"
- "staticfile.net" - "staticfile.net"