CVE-2018-8000 — Out-of-bounds Write in Project Podofo

CWE-787 — Out-of-bounds Write CWE-287 — Improper Authentication12 documents6 sources

Severity

8.8HIGHNVD

OSV7.8

EPSS

3.3%

top 12.69%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Podofo Project Podofo

Timeline

PublishedMar 9

Latest updateMay 13

Description

In PoDoFo 0.9.5, there exists a heap-based buffer overflow vulnerability in PoDoFo::PdfTokenizer::GetNextToken() in PdfTokenizer.cpp, a related issue to CVE-2017-5886. Remote attackers could leverage this vulnerability to cause a denial-of-service or potentially execute arbitrary code via a crafted pdf file.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages1 packages

▶NVDpodofo_project/podofo0.9.5

🔴Vulnerability Details

GHSA

GHSA-68hv-95wx-r3jh: In PoDoFo 0↗2022-05-13

▶

OSV

CVE-2018-8000: In PoDoFo 0↗2018-03-09

▶

💥Exploits & PoCs

Exploit-DB

OpenMRS Platform < 2.24.0 - Insecure Object Deserialization↗2019-02-05

▶

Exploit-DB

Bolt CMS < 3.6.2 - Cross-Site Scripting↗2018-12-19

▶

Exploit-DB

Episerver 7 patch 4 - XML External Entity Injection↗2018-08-29

▶

Exploit-DB

LG NAS 3718.510.a0 - Remote Command Execution↗2018-07-31

▶

Exploit-DB

Splunk < 7.0.1 - Information Disclosure↗2018-06-08

▶

📋Vendor Advisories

Citrix

CVE-2018-18014: * Lack of authentication in Citrix Xen Mobile through 10.8 allows low-privileged local users to execute system commands as root by making requests to↗2018-10-24

▶

💬Community

Bugzilla

CVE-2018-8000 podofo: heap-based buffer overflow in PoDoFo::PdfTokenizer::GetNextToken() in PdfTokenizer.cpp↗2018-03-12

▶

Bugzilla

CVE-2018-8000 CVE-2018-8001 CVE-2018-8002 podofo: various flaws [epel-all]↗2018-03-12

▶

Bugzilla

CVE-2018-8002 podofo [fedora-all]↗2018-03-12

▶