CVE-2023-24612
Published: 30 January 2023
Summary
CVE-2023-24612 is a critical-severity Command Injection (CWE-77) vulnerability in Pdfbook Project Pdfbook. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 8.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
The PdfBook extension for MediaWiki, through version 2.0.5 prior to commit b07b6a64, contains a command-injection flaw (CWE-77) that can be triggered through an option passed to the PDF-generation process. The vulnerability received a CVSS 3.1 base score of 9.8, reflecting network-accessible, unauthenticated exploitation with no user interaction required.
An attacker able to reach a MediaWiki instance using the affected extension can supply a malicious option value that results in arbitrary operating-system command execution, thereby obtaining full control over the confidentiality, integrity, and availability of the underlying server.
The referenced merge request implements the corrective change that eliminates the unsanitized option handling; administrators should update PdfBook to a revision at or after b07b6a64.
EPSS remains low and unchanged at 0.0721 with no reported rise after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-28627
Vulnerability details
The PdfBook extension through 2.0.5 before b07b6a64 for MediaWiki allows command injection via an option.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.