CVE-2022-4741: 
vulnerability analysis and mitigation

A vulnerability was found in docconv up to version 1.2.0 that affects the functions ConvertDocx/ConvertODT/ConvertPages/ConvertXML/XMLToText. The issue involves uncontrolled memory allocation that can be initiated remotely. The vulnerability was assigned CVE-2022-4741 and was disclosed on December 25, 2022 (NVD).

The vulnerability stems from unbounded memory consumption when reading files from ZIP archives. The issue was fixed by implementing a maximum byte limit (20MB) through io.LimitReader on file reading operations across multiple components including docx.go, odt.go, pages.go, and xml.go files (GitHub Commit). The vulnerability has a CVSS v3.1 Base Score of 6.5 MEDIUM (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) according to NVD assessment (NVD).

The vulnerability could lead to uncontrolled memory allocation when processing certain files, potentially resulting in denial of service conditions. The attack can be initiated remotely, making it particularly concerning for systems that process document conversions from untrusted sources (NVD).

The vulnerability has been fixed in docconv version 1.2.1. Users are recommended to upgrade to this version or later. The fix implements a 20MB file size limit to prevent unbounded memory consumption (GitHub Release).