6.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-4741

GHSA ID

GHSA-qvx2-59g8-8hph

EPSS Score

0.1733%

CWE

CWE-789

Published

12/25/2022

Updated

3/1/2024

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-4741

CVE-2022-4741: docconv vulnerable to Memory Allocation with Excessive Size Value

A vulnerability was found in docconv up to 1.2.0 and classified as problematic. This issue affects the function ConvertDocx/ConvertODT/ConvertPages/ConvertXML/XMLToText. The manipulation leads to uncontrolled memory allocation. The attack may be initiated remotely. Upgrading to version 1.2.1 can address this issue. The name of the patch is 42bcff666855ab978e67a9041d0cdea552f20301. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-216779.

(GitHub Advisory)

6.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-4741

GHSA ID

GHSA-qvx2-59g8-8hph

EPSS Score

0.1733%

CWE

CWE-789

Published

12/25/2022

Updated

3/1/2024

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/sajari/docconv	go	< 1.2.1	1.2.1
code.sajari.com/docconv	go	< 1.2.1	1.2.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from uncontrolled memory allocation when processing untrusted inputs. The commit 42bcff6 adds size limits to all these functions by wrapping readers with io.LimitReader. The affected functions are explicitly named in vulnerability descriptions and correspond to files modified in the patch. Each was using unbounded ReadAll/Decoder operations prior to the fix, making them clear vectors for memory exhaustion attacks.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* vuln*r**ility w*s *oun* in *o**onv up to *.*.* *n* *l*ssi*i** *s pro*l*m*ti*. T*is issu* *****ts t** *un*tion `*onv*rt*o*x/*onv*rtO*T/*onv*rtP***s/*onv*rtXML/XMLToT*xt`. T** m*nipul*tion l***s to un*ontroll** m*mory *llo**tion. T** *tt**k m*y ** in

Reasoning

T** vuln*r**ility st*ms *rom un*ontroll** m*mory *llo**tion w**n pro**ssin* untrust** inputs. T** *ommit ******* ***s siz* limits to *ll t**s* *un*tions *y wr*ppin* r****rs wit* `io.LimitR****r`. T** *****t** *un*tions *r* *xpli*itly n*m** in vuln*r*

6.5

Basic Information

Concerned about an active attack path?

CVE-2022-4741: docconv vulnerable to Memory Allocation with Excessive Size Value

6.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI