Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
N/A
Vulnerability Description
Versions of the package mammoth from 0.3.25 and before 1.11.0; versions of the package mammoth from 0.3.25 and before 1.11.0; versions of the package mammoth before 1.11.0; versions of the package org.zwobble.mammoth:mammoth before 1.11.0 are vulnerable to Directory Traversal due to the lack of path or file type validation when processing a docx file containing an image with an external link (r:link attribute instead of embedded r:embed). The library resolves the URI to a file path and after reading, the content is encoded as base64 and included in the HTML output as a data URI. An attacker can read arbitrary files on the system where the conversion is performed or cause an excessive resources consumption by crafting a docx file that links to special device files such as /dev/random or /dev/zero.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:H
Vulnerability Type
对路径名的限制不恰当(路径遍历)
Vulnerability Title
Mammoth 安全漏洞
Vulnerability Description
Mammoth是Michael Williamson个人开发者的一个将Word文档转换为HTML的工具。 mammoth 0.3.25版本和1.11.0之前版本存在安全漏洞,该漏洞源于处理docx文件时缺少路径或文件类型验证,可能导致目录遍历攻击或资源过度消耗。
CVSS Information
N/A
Vulnerability Type
N/A