CVE-2020-35702
published 2020-12-25CVE-2020-35702: DCTStream::getChars in DCTStream.cc in Poppler 20.12.1 has a heap-based buffer overflow via a crafted PDF document. NOTE: later reports indicate that this only…
PriorityP337high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
EPSS
0.86%
53.9th percentile
DCTStream::getChars in DCTStream.cc in Poppler 20.12.1 has a heap-based buffer overflow via a crafted PDF document. NOTE: later reports indicate that this only affects builds from Poppler git clones in late December 2020, not the 20.12.1 release. In this situation, it should NOT be considered a Poppler vulnerability. However, several third-party Open Source projects directly rely on Poppler git clones made at arbitrary times, and therefore the CVE remains useful to users of those projects
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | poppler | — | — |
| freedesktop | poppler | — | — |
| freedesktop | poppler | >= 0 < 0 | 0 |
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv7.8HIGH
vendor_debian7.8LOW
vendor_redhat7.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-fcqx-5rp6-c5pj: DCTStream::getChars in DCTStream
ghsa_unreviewed·2022-05-24
CVE-2020-35702 [HIGH] CWE-787 GHSA-fcqx-5rp6-c5pj: DCTStream::getChars in DCTStream
DCTStream::getChars in DCTStream.cc in Poppler 20.12.1 has a heap-based buffer overflow via a crafted PDF document.
OSV
CVE-2020-35702: DCTStream::getChars in DCTStream
osv·2020-12-25·CVSS 7.8
CVE-2020-35702 [HIGH] CVE-2020-35702: DCTStream::getChars in DCTStream
DCTStream::getChars in DCTStream.cc in Poppler 20.12.1 has a heap-based buffer overflow via a crafted PDF document. NOTE: later reports indicate that this only affects builds from Poppler git clones in late December 2020, not the 20.12.1 release. In this situation, it should NOT be considered a Poppler vulnerability. However, several third-party Open Source projects directly rely on Poppler git clones made at arbitrary times, and therefore the CVE remains useful to users of those projects
Red Hat
poppler: heap-based buffer overflow via a crafted PDF document
vendor_redhat·2020-12-20·CVSS 7.8
CVE-2020-35702 [HIGH] CWE-787 poppler: heap-based buffer overflow via a crafted PDF document
poppler: heap-based buffer overflow via a crafted PDF document
DCTStream::getChars in DCTStream.cc in Poppler 20.12.1 has a heap-based buffer overflow via a crafted PDF document. NOTE: later reports indicate that this only affects builds from Poppler git clones in late December 2020, not the 20.12.1 release. In this situation, it should NOT be considered a Poppler vulnerability. However, several third-party Open Source projects directly rely on Poppler git clones made at arbitrary times, and therefore the CVE remains useful to users of those projects
A heap buffer overflow flaw was found in poppler. This flaw allows a remote attacker to provide a specially crafted PDF file that, when processed by the 'pdftops' program, leads to a crash or potential code execution. The highest threat from
Debian
CVE-2020-35702: poppler - DCTStream::getChars in DCTStream.cc in Poppler 20.12.1 has a heap-based buffer o...
vendor_debian·2020·CVSS 7.8
CVE-2020-35702 [HIGH] CVE-2020-35702: poppler - DCTStream::getChars in DCTStream.cc in Poppler 20.12.1 has a heap-based buffer o...
DCTStream::getChars in DCTStream.cc in Poppler 20.12.1 has a heap-based buffer overflow via a crafted PDF document. NOTE: later reports indicate that this only affects builds from Poppler git clones in late December 2020, not the 20.12.1 release. In this situation, it should NOT be considered a Poppler vulnerability. However, several third-party Open Source projects directly rely on Poppler git clones made at arbitrary times, and therefore the CVE remains useful to users of those projects
Scope: local
bookworm: resolved
bullseye: resolved
forky: resolved
sid: resolved
trixie: resolved
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2020-12-25
Published