一、 漏洞 CVE-2024-4367 基础信息
漏洞信息
# N/A
## 漏洞概述
PDF.js在处理字体时缺少类型检查,导致可以在PDF.js环境中执行任意JavaScript代码。
## 影响版本
- Firefox < 126
- Firefox ESR < 115.11
- Thunderbird < 115.11
## 漏洞细节
在PDF.js处理字体时,缺少必要的类型检查,导致攻击者可以通过构造特定的PDF文件执行任意JavaScript代码。
## 影响
允许攻击者在用户的PDF.js环境中执行任意JavaScript代码,可能带来跨站脚本攻击或其他安全风险。
提示
尽管我们采用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。
神龙会尽力确保数据准确,但也请结合实际情况进行甄别与判断。
神龙祝您一切顺利!
神龙会尽力确保数据准确,但也请结合实际情况进行甄别与判断。
神龙祝您一切顺利!
漏洞标题
N/A
来源:美国国家漏洞数据库 NVD
漏洞描述信息
A type check was missing when handling fonts in PDF.js, which would allow arbitrary JavaScript execution in the PDF.js context. This vulnerability affects Firefox < 126, Firefox ESR < 115.11, and Thunderbird < 115.11.
来源:美国国家漏洞数据库 NVD
CVSS信息
N/A
来源:美国国家漏洞数据库 NVD
漏洞类别
N/A
来源:美国国家漏洞数据库 NVD
漏洞标题
Mozilla Firefox 安全漏洞
来源:中国国家信息安全漏洞库 CNNVD
漏洞描述信息
Mozilla Firefox是美国Mozilla基金会的一款开源Web浏览器。 Mozilla Firefox 126 版本之前存在安全漏洞,该漏洞源于处理 PDF.js 中的字体时缺少类型检查,这将允许在 PDF.js 环境中执行任意 JavaScript。
来源:中国国家信息安全漏洞库 CNNVD
CVSS信息
N/A
来源:中国国家信息安全漏洞库 CNNVD
漏洞类别
其他
来源:中国国家信息安全漏洞库 CNNVD
二、漏洞 CVE-2024-4367 的公开POC
| # | POC 描述 | 源链接 | 神龙链接 |
|---|---|---|---|
| 1 | CVE-2024-4367 & CVE-2024-34342 Proof of Concept | https://github.com/LOURC0D3/CVE-2024-4367-PoC | POC详情 |
| 2 | CVE-2024-4367 arbitrary js execution in pdf js | https://github.com/s4vvysec/CVE-2024-4367-POC | POC详情 |
| 3 | YARA detection rule for CVE-2024-4367 arbitrary javascript execution in PDF.js | https://github.com/spaceraccoon/detect-cve-2024-4367 | POC详情 |
| 4 | CVE-2024-4367 mitigation for Odoo 14.0 | https://github.com/avalahEE/pdfjs_disable_eval | POC详情 |
| 5 | This project is intended to serve as a proof of concept to demonstrate exploiting the vulnerability in the PDF.js (pdfjs-dist) library reported in CVE-2024-4367 | https://github.com/clarkio/pdfjs-vuln-demo | POC详情 |
| 6 | PDF.js是由Mozilla维护的基于JavaScript的PDF查看器。此漏洞允许攻击者在打开恶意 PDF 文件后立即执行任意 JavaScript 代码。这会影响所有 Firefox 用户 (<126),因为 Firefox 使用 PDF.js 来显示 PDF 文件,但也严重影响了许多基于 Web 和 Electron 的应用程序,这些应用程序(间接)使用 PDF.js 进行预览功能。 | https://github.com/Zombie-Kaiser/cve-2024-4367-PoC-fixed | POC详情 |
| 7 | This project is intended to serve as a proof of concept to demonstrate exploiting the vulnerability in the PDF.js (pdfjs-dist) library reported in CVE-2024-4367 | https://github.com/snyk-labs/pdfjs-vuln-demo | POC详情 |
| 8 | PoC - Prueba de Concepto de CVE-2024-4367 en conjunto al CVE-2023-38831 en un solo Script | https://github.com/UnHackerEnCapital/PDFernetRemotelo | POC详情 |
| 9 | CVE-2024-4367复现 | https://github.com/Scivous/CVE-2024-4367-npm | POC详情 |
| 10 | None | https://github.com/Masamuneee/CVE-2024-4367-Analysis | POC详情 |
| 11 | None | https://github.com/pedrochalegre7/CVE-2024-4367-pdf-sample | POC详情 |
| 12 | CVE-2024-4367 is a critical vulnerability (CVSS 9.8) in PDF.js, allowing arbitrary JavaScript code execution due to insufficient type checks on the FontMatrix object within PDF files. | https://github.com/exfil0/WEAPONIZING-CVE-2024-4367 | POC详情 |
| 13 | This Proof of Concept (PoC) demonstrates the exploitation of the CVE-2024-4367 vulnerability, which involves Cross-Site Scripting (XSS) attacks. | https://github.com/inpentest/CVE-2024-4367-PoC | POC详情 |
| 14 | None | https://github.com/elamani-drawing/CVE-2024-4367-POC-PDFJS | POC详情 |
| 15 | None | https://github.com/VVeakee/CVE-2024-4367 | POC详情 |
| 16 | PDF host for CVE-2024-4367 | https://github.com/BektiHandoyo/cve-pdf-host | POC详情 |
| 17 | None | https://github.com/Threekiii/Awesome-POC/blob/master/Web%E5%BA%94%E7%94%A8%E6%BC%8F%E6%B4%9E/PDF.js%20%E4%BB%BB%E6%84%8F%20JavaScript%20%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C%20CVE-2024-4367.md | POC详情 |
| 18 | https://github.com/vulhub/vulhub/blob/master/pdfjs/CVE-2024-4367/README.md | POC详情 | |
| 19 | CVE-2024-4367 | https://github.com/Bhavyakcwestern/Hacking-pdf.js-vulnerability | POC详情 |
| 20 | None | https://github.com/PenguinCabinet/CVE-2024-4367-hands-on | POC详情 |
| 21 | POC for PDF JS' CVE-2024-4367 vuln | https://github.com/pS3ud0RAnD0m/cve-2024-4367-poc | POC详情 |
| 22 | POC | https://github.com/MihranGIT/POC_CVE-2024-4367 | POC详情 |
| 23 | None | https://github.com/MihranGIT/CVE-2024-4367 | POC详情 |
| 24 | wargame, CVE-2024-4367 | https://github.com/m0d0ri205/PDFJS | POC详情 |
| 25 | This Proof of Concept (PoC) demonstrates the exploitation of the CVE-2024-4367 vulnerability, which involves Cross-Site Scripting (XSS) attacks. | https://github.com/ahmad-kabiri/CVE-2024-4367-PoC | POC详情 |
| 26 | None | https://github.com/0xr2r/CVE-2024-4367 | POC详情 |
| 27 | Odoo ≤17 is vulnerable to CVE-2024-4367, allowing arbitrary JavaScript execution via PDF.js. | https://github.com/1337rokudenashi/Odoo_PDFjs_CVE-2024-4367.pdf | POC详情 |
| 28 | This Proof of Concept (PoC) demonstrates the exploitation of the CVE-2024-4367 vulnerability, which involves Cross-Site Scripting (XSS) attacks. | https://github.com/kabiri-labs/CVE-2024-4367-PoC | POC详情 |
三、漏洞 CVE-2024-4367 的情报信息
- https://bugzilla.mozilla.org/show_bug.cgi?id=1893645
-
标题: Security Vulnerabilities fixed in Firefox 126 — Mozilla -- 🔗来源链接
标签:
-
标题: Security Vulnerabilities fixed in Firefox ESR 115.11 — Mozilla -- 🔗来源链接
标签:
-
标题: Security Vulnerabilities fixed in Thunderbird 115.11 — Mozilla -- 🔗来源链接
标签:
- https://lists.debian.org/debian-lts-announce/2024/05/msg00010.html
- https://lists.debian.org/debian-lts-announce/2024/05/msg00012.html
- https://nvd.nist.gov/vuln/detail/CVE-2024-4367
四、漏洞 CVE-2024-4367 的评论
暂无评论