CVE-2022-4643: 
vulnerability analysis and mitigation

A critical vulnerability (CVE-2022-4643) was discovered in docconv versions up to 1.2.0. The vulnerability affects the ConvertPDFImages function in the pdf_ocr.go file, where manipulation of the path argument can lead to OS command injection. This remote code execution vulnerability was disclosed on December 21, 2022 (NVD).

The vulnerability is classified as an OS Command Injection (CWE-78) with a CVSS v3.1 base score of 9.8 (CRITICAL). The attack vector is network-accessible (AV:N), requires low attack complexity (AC:L), needs no privileges (PR:N), and requires no user interaction (UI:N). The scope is unchanged (S:U) with high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H) (NVD).

If exploited, this vulnerability allows attackers to execute arbitrary OS commands remotely through the manipulation of the path argument in the ConvertPDFImages function. This could lead to complete system compromise with high impacts on confidentiality, integrity, and availability of the affected system (NVD).

The vulnerability has been fixed in version 1.2.1 of docconv. The patch (commit b19021ade3d0b71c89d35cb00eb9e589a121faa5) implements proper shell escaping for the path argument. Users are strongly recommended to upgrade to version 1.2.1 or later to address this security issue (GitHub Release, GitHub Commit).