CVE-2018-20662Improper Input Validation in Poppler

CWE-20Improper Input ValidationCWE-617Reachable AssertionCWE-400Uncontrolled Resource Consumption11 documents8 sources
Severity
6.5MEDIUMNVD
EPSS
0.6%
top 30.76%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
11
Freedesktop PopplerCanonical Ubuntu LinuxDebian Linux+8 more
Timeline
PublishedJan 3
Latest updateJul 27

Description

In Poppler 0.72.0, PDFDoc::setup in PDFDoc.cc allows attackers to cause a denial-of-service (application crash caused by Object.h SIGABRT, because of a wrong return value from PDFDoc::setup) by crafting a PDF file in which an xref data structure is mishandled during extractPDFSubtype processing.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages5 packages

Debianfreedesktop/poppler< 0.71.0-4+3

Also affects: Debian Linux 8.0, 9.0, Fedora 28, 29, 30, Ubuntu Linux 16.04, 18.04, 18.10, 19.04, Enterprise Linux 8.0, 8.1, 8.2, 8.4, 8.6

Patches

Patch: gitlab.freedesktop.orgPatch: gitlab.freedesktop.org

🔴Vulnerability Details

3
GHSA
GHSA-mwx3-cc72-hfg4: In Poppler 02022-05-13
CVEList
CVE-2018-20662: In Poppler 02019-01-03
OSV
CVE-2018-20662: In Poppler 02019-01-03

📋Vendor Advisories

4
Red Hat
poppler: abort in PDFDoc::savePageAs in PDFDoc.c2022-07-27
Ubuntu
poppler vulnerabilities2019-06-27
Red Hat
poppler: SIGABRT PDFDoc::setup class in PDFDoc.cc2018-12-30
Debian
CVE-2018-20662: poppler - In Poppler 0.72.0, PDFDoc::setup in PDFDoc.cc allows attackers to cause a denial...2018

💬Community

3
Bugzilla
CVE-2018-20662 poppler: SIGABRT PDFDoc::setup class in PDFDoc.cc [fedora-all]2019-01-10
Bugzilla
CVE-2018-20662 mingw-poppler: poppler: SIGABRT PDFDoc::setup class in PDFDoc.cc [fedora-all]2019-01-10
Bugzilla
CVE-2018-20662 poppler: SIGABRT PDFDoc::setup class in PDFDoc.cc2019-01-10
CVE-2018-20662 — Improper Input Validation in Poppler | cvebase