CVE-2018-14320
published 2018-09-17CVE-2018-14320: This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations of PoDoFo. User interaction is required to exploit…
PriorityP335medium6.5CVSS 3.0
AVNACLPRNUIRSUCHINAN
EPSS
2.36%
81.6th percentile
This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations of PoDoFo. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within PdfEncoding::ParseToUnicode. The issue results from the lack of proper validation of user-supplied data, which can result in a memory corruption condition. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process. Was ZDI-CAN-5673.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | libpodofo | < libpodofo 0.9.6+dfsg-4 (bookworm) | libpodofo 0.9.6+dfsg-4 (bookworm) |
| podofo | podofo_podofo | — | — |
CVSS provenance
nvdv3.06.5MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:P/I:N/A:N
osv6.5MEDIUM
vendor_debian6.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-v265-h4r2-3fhj: This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations of PoDoFo
ghsa_unreviewed·2022-05-13
CVE-2018-14320 [MEDIUM] CWE-119 GHSA-v265-h4r2-3fhj: This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations of PoDoFo
This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations of PoDoFo. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within PdfEncoding::ParseToUnicode. The issue results from the lack of proper validation of user-supplied data, which can result in a memory corruption condition. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process. Was ZDI-CAN-5673.
OSV
CVE-2018-14320: This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations of PoDoFo
osv·2018-09-17·CVSS 6.5
CVE-2018-14320 [MEDIUM] CVE-2018-14320: This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations of PoDoFo
This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations of PoDoFo. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within PdfEncoding::ParseToUnicode. The issue results from the lack of proper validation of user-supplied data, which can result in a memory corruption condition. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process. Was ZDI-CAN-5673.
Debian
CVE-2018-14320: libpodofo - This vulnerability allows remote attackers to disclose sensitive information on ...
vendor_debian·2018·CVSS 6.5
CVE-2018-14320 [MEDIUM] CVE-2018-14320: libpodofo - This vulnerability allows remote attackers to disclose sensitive information on ...
This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations of PoDoFo. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within PdfEncoding::ParseToUnicode. The issue results from the lack of proper validation of user-supplied data, which can result in a memory corruption condition. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process. Was ZDI-CAN-5673.
Scope: local
bookworm: resolved (fixed in 0.9.6+dfsg-4)
bullseye: resolved (fixed in 0.9.6+dfsg-4)
forky: resolved (fixed in 0.9.6+dfsg-4)
sid: resolved (fixed in 0.9.6+dfsg-4)
trixie: resolved (fixed in 0.9.6
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2018-14320 podofo: Lack of proper validation of user supplied data can result in information disclosure [fedora-all]
bugzilla·2018-09-20·CVSS 6.5
CVE-2018-14320 [MEDIUM] CVE-2018-14320 podofo: Lack of proper validation of user supplied data can result in information disclosure [fedora-all]
CVE-2018-14320 podofo: Lack of proper validation of user supplied data can result in information disclosure [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: thi
Bugzilla
CVE-2018-14320 podofo: Lack of proper validation of user supplied data can result in information disclosure [epel-all]
bugzilla·2018-09-20·CVSS 6.5
CVE-2018-14320 [MEDIUM] CVE-2018-14320 podofo: Lack of proper validation of user supplied data can result in information disclosure [epel-all]
CVE-2018-14320 podofo: Lack of proper validation of user supplied data can result in information disclosure [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this is
Bugzilla
CVE-2018-14320 podofo: Lack of proper validation of user supplied data can result in information disclosure
bugzilla·2018-09-20·CVSS 6.5
CVE-2018-14320 [MEDIUM] CVE-2018-14320 podofo: Lack of proper validation of user supplied data can result in information disclosure
CVE-2018-14320 podofo: Lack of proper validation of user supplied data can result in information disclosure
This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations of PoDoFo Library. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within PdfEncoding::ParseToUnicode(). The issue results from the lack of proper validation of user-supplied data, which can result in a memory corruption condition.
References:
https://www.zerodayinitiative.com/advisories/ZDI-18-1046/
Discussion:
Created podofo tracking bugs for this issue:
Affects: epel-all [bug 1631431]
Affects: fedora-all [bug 1631430]
---
This CVE Bugzilla entry is for community
2018-09-17
Published