minor-update
parent
e268102246
commit
bb2cb430c0
|
@ -1,21 +1,28 @@
|
||||||
id: CVE-2024-38526
|
id: CVE-2024-38526
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: CVE-2024-38526 - Untrusted 3rd party
|
name: Polyfill Supply Chain Attack Malicious Code Execution
|
||||||
author: abut0n
|
author: abut0n
|
||||||
severity: high
|
severity: high
|
||||||
description: |
|
description: |
|
||||||
The polyfill.js is a popular open source library to support older browsers. 100K+ sites embed it using the cdn.polyfill.io. However, in February of 2024, a Chinese company bought the domain and the Github account. Since then, this domain was caught injecting malware on mobile devices via any site that embeds cdn.polyfill.io
|
pdoc provides API Documentation for Python Projects. Documentation generated with `pdoc --math` linked to JavaScript files from polyfill.io
|
||||||
impact: |
|
impact: |
|
||||||
The new Chinese owner of the popular Polyfill JS project injects malware into more than 100 thousand sites.
|
The polyfill.io CDN has been sold and now serves malicious code.
|
||||||
remediation: |
|
remediation: |
|
||||||
Remove the dependecy.
|
This issue has been fixed in pdoc 14.5.1.
|
||||||
reference:
|
reference:
|
||||||
- https://sansec.io/research/polyfill-supply-chain-attack
|
- https://sansec.io/research/polyfill-supply-chain-attack
|
||||||
- https://nvd.nist.gov/vuln/detail/CVE-2024-38526
|
- https://nvd.nist.gov/vuln/detail/CVE-2024-38526
|
||||||
- https://x.com/triblondon/status/1761852117579427975
|
- https://x.com/triblondon/status/1761852117579427975
|
||||||
tags: CVE,CVE-2024-38526,headless,supply-chain
|
- https://github.com/mitmproxy/pdoc/pull/703
|
||||||
|
- https://github.com/mitmproxy/pdoc/security/advisories/GHSA-5vgj-ggm4-fg62
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L
|
||||||
|
cvss-score: 7.2
|
||||||
|
cve-id: CVE-2024-38526
|
||||||
|
epss-score: 0.00045
|
||||||
|
epss-percentile: 0.16001
|
||||||
|
tags: cve,cve2024,supply-chain,polyfill
|
||||||
headless:
|
headless:
|
||||||
- steps:
|
- steps:
|
||||||
- args:
|
- args:
|
||||||
|
@ -44,7 +51,6 @@ headless:
|
||||||
- type: word
|
- type: word
|
||||||
words:
|
words:
|
||||||
- "polyfill.io"
|
- "polyfill.io"
|
||||||
# More domains that have been used by the same actor to spread malware since at least June 2023: bootcdn.net, bootcss.com, staticfile.net, staticfile.org, unionadjs.com, xhsbpza.com, union.macoms.la, newcrbpc.com.
|
|
||||||
- "bootcdn.net"
|
- "bootcdn.net"
|
||||||
- "bootcss.com"
|
- "bootcss.com"
|
||||||
- "staticfile.net"
|
- "staticfile.net"
|
||||||
|
|
Loading…
Reference in New Issue