CVE-2021-21797 — Double Free in Nitro PRO

CWE-415 — Double Free5 documents4 sources

Severity

7.8HIGHNVD

EPSS

73.4%

top 1.20%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gonitro Nitro PRO

Timeline

PublishedOct 18

Latest updateMay 24

Description

An exploitable double-free vulnerability exists in the JavaScript implementation of Nitro Pro PDF. A specially crafted document can cause a reference to a timeout object to be stored in two different places. When closed, the document will result in the reference being released twice. This can lead to code execution under the context of the application. An attacker can convince a user to open a document to trigger this vulnerability.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages2 packages

▶CVEListV5gonitro/nitro_proNitro Pro 13.31.0.605 ,Nitro Pro 13.33.2.645

▶NVDgonitro/nitro_pro13.31.0.605, 13.33.2.645+1

🔴Vulnerability Details

GHSA

GHSA-5676-7chm-gxvm: An exploitable double-free vulnerability exists in the JavaScript implementation of Nitro Pro PDF↗2022-05-24

▶

CVEList

CVE-2021-21797: An exploitable double-free vulnerability exists in the JavaScript implementation of Nitro Pro PDF↗2021-10-18

▶

🕵️Threat Intelligence

Talos

Vulnerability Spotlight: Code execution vulnerabilities in Nitro Pro PDF↗2021-10-14

▶

Talos

Vulnerability Spotlight: Code execution vulnerabilities in Nitro Pro PDF↗2021-10-14

▶