cbcvebase.
CVE-2020-6146
published 2020-09-16

CVE-2020-6146: An exploitable code execution vulnerability exists in the rendering functionality of Nitro Pro 13.13.2.242 and 13.16.2.300. When drawing the contents of a page…

PriorityP265high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EPSS
78.47%
99.5th percentile
An exploitable code execution vulnerability exists in the rendering functionality of Nitro Pro 13.13.2.242 and 13.16.2.300. When drawing the contents of a page and selecting the stroke color from an 'ICCBased' colorspace, the application will read a length from the file and use it as a loop sentinel when writing data into the member of an object. Due to the object member being a buffer of a static size allocated on the heap, this can result in a heap-based buffer overflow. A specially crafted document must be loaded by a victim in order to trigger this vulnerability.

Affected

3 ranges
VendorProductVersion rangeFixed in
gonitronitro_pro
gonitronitro_pro
gonitronitro_pro

Detection & IOCsextracted from sources · hover to see the quote

snort
53114
snort
53115
snort
53948
snort
53949
snort
53990
snort
53991
snort
53992
snort
53993
snort
54010
snort
54011
snort
54047
snort
54048
  • CVE-2020-6146 is triggered during PDF rendering when an ICCBased colorspace is used for stroke color; the application reads an attacker-controlled length from the file and uses it as a loop sentinel to write into a fixed-size heap buffer — look for malformed PDF documents containing ICCBased colorspace stream objects with anomalously large length values.
  • Exploitation requires a victim to open a specially crafted PDF document; delivery vector is a malicious PDF file targeting Nitro Pro versions 13.13.2.242 and 13.16.2.300.
  • ·Snort rules listed cover the full set of Nitro Pro vulnerabilities disclosed in this advisory (CVE-2020-6112, -6113, -6115, -6116, -6146); individual rule-to-CVE mapping is not specified in the source — all rules should be enabled when defending against this advisory's vulnerability set.
  • ·Additional Snort rules may be released after publication; always consult Firepower Management Center or Snort.org for the most current rule set.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.