CVE-2018-17607 — Use After Free in Phantompdf

CWE-416 — Use After Free3 documents3 sources

Severity

9.8CRITICALNVD

EPSS

0.4%

top 38.42%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Foxitsoftware Phantompdf Foxitsoftware Reader

Timeline

PublishedSep 28

Latest updateMay 14

Description

Foxit PhantomPDF and Reader before 9.3 allow remote attackers to execute arbitrary code or cause a denial of service (use-after-free) because properties of Annotation objects are mishandled. This relates to one of five distinct types of Annotation objects.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

▶NVDfoxitsoftware/reader< 9.3

▶NVDfoxitsoftware/phantompdf< 9.3

Patches

Patch: www.foxitsoftware.com ↗Patch: www.foxitsoftware.com ↗

🔴Vulnerability Details

GHSA

GHSA-3x89-mv2j-86mr: Foxit PhantomPDF and Reader before 9↗2022-05-14

▶

CVEList

CVE-2018-17607: Foxit PhantomPDF and Reader before 9↗2018-09-28

▶