CVE-2018-19060NULL Pointer Dereference in Poppler

CWE-476NULL Pointer Dereference11 documents8 sources
Severity
6.5MEDIUMNVD
EPSS
0.1%
top 64.77%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Freedesktop PopplerCanonical Ubuntu Linux
Timeline
PublishedNov 7
Latest updateMay 14

Description

An issue was discovered in Poppler 0.71.0. There is a NULL pointer dereference in goo/GooString.h, will lead to denial of service, as demonstrated by utils/pdfdetach.cc not validating a filename of an embedded file before constructing a save path.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages3 packages

Debianfreedesktop/poppler< 0.85.0-2+3
Ubuntufreedesktop/poppler< 0.24.5-2ubuntu4.13+2

Also affects: Ubuntu Linux 14.04, 16.04, 18.04, 18.10

🔴Vulnerability Details

4
GHSA
GHSA-jh94-6vqx-6xvm: An issue was discovered in Poppler 02022-05-14
OSV
poppler vulnerabilities2018-12-04
CVEList
CVE-2018-19060: An issue was discovered in Poppler 02018-11-07
OSV
CVE-2018-19060: An issue was discovered in Poppler 02018-11-07

📋Vendor Advisories

3
Ubuntu
poppler vulnerabilities2018-12-04
Red Hat
poppler: pdfdetach utility does not validate save paths2018-11-06
Debian
CVE-2018-19060: poppler - An issue was discovered in Poppler 0.71.0. There is a NULL pointer dereference i...2018

💬Community

3
Bugzilla
CVE-2018-19060 mingw-poppler: poppler: pdfdetach utility does not validate save paths [fedora-all]2018-11-13
Bugzilla
CVE-2018-19060 poppler: pdfdetach utility does not validate save paths2018-11-13
Bugzilla
CVE-2018-19060 poppler: pdfdetach utility does not validate save paths [fedora-all]2018-11-13
CVE-2018-19060 — NULL Pointer Dereference in Poppler | cvebase