Homepage
About Snyk

Dependency on Vulnerable Third-Party Component Affecting pdoc package, versions [,14.5.1)

Severity

 Recommended
0.0
critical
0
10

CVSS assessment made by Snyk's Security Team

    Threat Intelligence

    Exploit Maturity
    Mature
    EPSS
    0.05% (16th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-PYTHON-PDOC-7391129
  • published 26 Jun 2024
  • disclosed 26 Jun 2024
  • credit Drew Hintz
Report a new vulnerability Found a mistake?

Introduced: 26 Jun 2024

New CVE-2024-38526 Open this link in a new tab
CWE-1395 Open this link in a new tab

How to fix?

Upgrade pdoc to version 14.5.1 or higher.

Overview

pdoc is an API Documentation for Python Projects

Affected versions of this package are vulnerable to Dependency on Vulnerable Third-Party Component which is accessible if the --math option is used to generate documents. A request is made to retrieve JavaScript code from the domain polyfill.io, which has been found to serve malicious code.

CVSS Scores

version 4.0
version 3.1
Expand this section

Snyk

Recommended
9.2 critical
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    Low
  • Attack Requirements (AT)
    Partial
  • Privileges Required (PR)
    None
  • User Interaction (UI)
    None
  • Confidentiality (VC)
    High
  • Integrity (VI)
    High
  • Availability (VA)
    High
  • Confidentiality (SC)
    None
  • Integrity (SI)
    None
  • Availability (SA)
    None