CVE-2024-38526

high

Description

pdoc provides API Documentation for Python Projects. Documentation generated with `pdoc --math` linked to JavaScript files from polyfill.io. The polyfill.io CDN has been sold and now serves malicious code. This issue has been fixed in pdoc 14.5.1.

References

https://www.bleepingcomputer.com/news/security/polyfillio-bootcdn-bootcss-staticfile-attack-traced-to-1-operator/

https://www.vicarius.io/vsociety/posts/polyfillio-in-pdoc-cve-2024-38526

https://sansec.io/research/polyfill-supply-chain-attack

https://github.com/mitmproxy/pdoc/security/advisories/GHSA-5vgj-ggm4-fg62

https://github.com/mitmproxy/pdoc/pull/703

Details

Source: Mitre, NVD

Published: 2024-06-26

Updated: 2024-07-24

Risk Information

CVSS v2

Base Score: 6.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:P

Severity: Medium

CVSS v3

Base Score: 7.2

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L

Severity: High

EPSS

EPSS: 0.58348