63 lines
2.0 KiB
YAML
63 lines
2.0 KiB
YAML
id: CVE-2024-38526
|
|
|
|
info:
|
|
name: Polyfill Supply Chain Attack Malicious Code Execution
|
|
author: abut0n
|
|
severity: high
|
|
description: |
|
|
pdoc provides API Documentation for Python Projects. Documentation generated with `pdoc --math` linked to JavaScript files from polyfill.io
|
|
impact: |
|
|
The polyfill.io CDN has been sold and now serves malicious code.
|
|
remediation: |
|
|
This issue has been fixed in pdoc 14.5.1.
|
|
reference:
|
|
- https://sansec.io/research/polyfill-supply-chain-attack
|
|
- https://nvd.nist.gov/vuln/detail/CVE-2024-38526
|
|
- https://x.com/triblondon/status/1761852117579427975
|
|
- https://github.com/mitmproxy/pdoc/pull/703
|
|
- https://github.com/mitmproxy/pdoc/security/advisories/GHSA-5vgj-ggm4-fg62
|
|
classification:
|
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L
|
|
cvss-score: 7.2
|
|
cve-id: CVE-2024-38526
|
|
epss-score: 0.00045
|
|
epss-percentile: 0.16001
|
|
tags: cve,cve2024,supply-chain,polyfill
|
|
headless:
|
|
- steps:
|
|
- args:
|
|
url: "{{BaseURL}}"
|
|
action: navigate
|
|
|
|
- action: waitload
|
|
|
|
- action: script
|
|
name: extract
|
|
args:
|
|
code: |
|
|
() => {
|
|
return '\n' + [...new Set(Array.from(document.querySelectorAll('[src], [href], [url], [action]')).map(i => i.src || i.href || i.url || i.action))].join('\r\n') + '\n'
|
|
}
|
|
|
|
extractors:
|
|
- type: kval
|
|
part: extract
|
|
name: urls
|
|
internal: true
|
|
kval:
|
|
- extract
|
|
|
|
matchers:
|
|
- type: word
|
|
words:
|
|
- "polyfill.io"
|
|
- "bootcdn.net"
|
|
- "bootcss.com"
|
|
- "staticfile.net"
|
|
- "staticfile.org"
|
|
- "unionadjs.com"
|
|
- "xhsbpza.com"
|
|
- "union.macoms.la"
|
|
- "newcrbpc.com"
|
|
part: urls
|
|
# digest: 4a0a004730450221008b738ec6c666368330687e6764dc2fcbf3c95a84d56a6899b655a191a14df157022007e079eb3a5924e73ce46bd10dc18a84a6fad8871ef0e58954377fe4f87fb47e:922c64590222798bb761d5b6d8e72950 |