CVE-2020-6112Use of Out-of-range Pointer Offset in Nitro PRO

CWE-823Use of Out-of-range Pointer OffsetCWE-787Out-of-bounds Write3 documents3 sources
Severity
7.8HIGHNVD
EPSS
0.1%
top 84.31%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Gonitro Nitro PRO
Timeline
PublishedSep 17
Latest updateMay 24

Description

An exploitable code execution vulnerability exists in the JPEG2000 Stripe Decoding functionality of Nitro Software, Inc.’s Nitro Pro 13.13.2.242 when decoding sub-samples. While initializing tiles with sub-sample data, the application can miscalculate a pointer for the stripes in the tile which allow for the decoder to write out of-bounds and cause memory corruption. This can result in code execution. A specially crafted image can be embedded inside a PDF and loaded by a victim in order to trigg

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages2 packages

CVEListV5gonitro/nitro_proNitro Pro 13.13.2.242 ,Nitro Pro 13.16.2.300
NVDgonitro/nitro_pro13.13.2.242, 13.16.2.300+1

🔴Vulnerability Details

2
GHSA
GHSA-4r39-5xx8-q235: An exploitable code execution vulnerability exists in the JPEG2000 Stripe Decoding functionality of Nitro Software, Inc2022-05-24
CVEList
CVE-2020-6112: An exploitable code execution vulnerability exists in the JPEG2000 Stripe Decoding functionality of Nitro Software, Inc2020-09-17
CVE-2020-6112 — Use of Out-of-range Pointer Offset | cvebase