CVE-2009-1144 — Code Injection in Xpdf

CWE-94 — Code Injection4 documents4 sources

Severity

6.9MEDIUMNVD

EPSS

0.1%

top 74.44%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Glyphandcog Xpdfreader Foolabs Xpdf

Timeline

PublishedApr 9

Latest updateMay 2

Description

Untrusted search path vulnerability in the Gentoo package of Xpdf before 3.02-r2 allows local users to gain privileges via a Trojan horse xpdfrc file in the current working directory, related to an unset SYSTEM_XPDFRC macro in a Gentoo build process that uses the poppler library.

CVSS vector

AV:L/AC:M/C:C/I:C/A:CExploitability: 3.4 | Impact: 10.0

Affected Packages2 packages

▶NVDglyphandcog/xpdfreader3.02+17

▶NVDfoolabs/xpdf14 versions+13

🔴Vulnerability Details

GHSA

GHSA-xj2c-76v8-mh2r: Untrusted search path vulnerability in the Gentoo package of Xpdf before 3↗2022-05-02

▶

CVEList

CVE-2009-1144: Untrusted search path vulnerability in the Gentoo package of Xpdf before 3↗2009-04-09

▶

📋Vendor Advisories

Debian

CVE-2009-1144: xpdf - Untrusted search path vulnerability in the Gentoo package of Xpdf before 3.02-r2...↗2009

▶