CVE-2024-38526

EUVD-2024-1935
pdoc provides API Documentation for Python Projects. Documentation generated with `pdoc --math` linked to JavaScript files from polyfill.io. The polyfill.io CDN has been sold and now serves malicious code. This issue has been fixed in pdoc 14.5.1.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.2 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L
GitHub_MCNA
0 NONE
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L/E:H/RL:O/RC:C/MC:N/MI:N/MA:N
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 99%
References
https://github.com/mitmproxy/pdoc/pull/703
https://github.com/mitmproxy/pdoc/security/advisories/GHSA-5vgj-ggm4-fg62
https://sansec.io/research/polyfill-supply-chain-attack
https://www.vicarius.io/vsociety/posts/polyfillio-in-pdoc-cve-2024-38526
https://github.com/mitmproxy/pdoc/pull/703
https://github.com/mitmproxy/pdoc/security/advisories/GHSA-5vgj-ggm4-fg62
https://sansec.io/research/polyfill-supply-chain-attack
https://www.vicarius.io/vsociety/posts/polyfillio-in-pdoc-cve-2024-38526