cbcvebase.

Freedesktop Poppler vulnerabilities

157 known vulnerabilities affecting freedesktop/poppler.

Total CVEs
157
CISA KEV
1
actively exploited
Public exploits
4
Exploited in wild
1
Severity breakdown
CRITICAL9HIGH52MEDIUM92LOW4

Vulnerabilities

Page 2 of 8
CVE-2007-4352P3HIGHCVSS 7.6≥ 0, < 0.6.2-12007-11-08
CVE-2007-4352 [HIGH] CVE-2007-4352: Array index error in the DCTStream::readProgressiveDataUnit method in xpdf/Stream Array index error in the DCTStream::readProgressiveDataUnit method in xpdf/Stream.cc in Xpdf 3.02pl1, as used in poppler, teTeX, KDE, KOffice, CUPS, and other products, allows remote attackers to trigger memory corruption and execute arbitrary code via a crafted PDF file.
osv
CVE-2015-8868P3HIGHCVSS 7.8v0.39.02016-05-06
CVE-2015-8868 [HIGH] CWE-119 CVE-2015-8868: Heap-based buffer overflow in the ExponentialFunction::ExponentialFunction function in Poppler befor Heap-based buffer overflow in the ExponentialFunction::ExponentialFunction function in Poppler before 0.40.0 allows remote attackers to cause a denial of service (memory corruption and crash) or possibly execute arbitrary code via an invalid blend mode in the ExtGState dictionary in a crafted PDF document.
nvdosv
CVE-2018-21009P3HIGHCVSS 8.8fixed in 0.76.02019-09-05
CVE-2018-21009 [HIGH] CWE-190 CVE-2018-21009: Poppler before 0.66.0 has an integer overflow in Parser::makeStream in Parser.cc. Poppler before 0.66.0 has an integer overflow in Parser::makeStream in Parser.cc.
nvdosv
CVE-2009-1180P3MEDIUMCVSS 6.8≥ 0, < 0.10.6-12009-04-23
CVE-2009-1180 [MEDIUM] CVE-2009-1180: The JBIG2 decoder in Xpdf 3 The JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, Poppler before 0.10.6, and other products allows remote attackers to execute arbitrary code via a crafted PDF file that triggers a free of invalid data.
osv
CVE-2007-3387P3MEDIUMCVSS 6.8fixed in 0.5.912007-07-30
CVE-2007-3387 [MEDIUM] CWE-190 CVE-2007-3387: Integer overflow in the StreamPredictor::StreamPredictor function in xpdf 3.02, as used in (1) poppl Integer overflow in the StreamPredictor::StreamPredictor function in xpdf 3.02, as used in (1) poppler before 0.5.91, (2) gpdf before 2.8.2, (3) kpdf, (4) kdegraphics, (5) CUPS, (6) PDFedit, and other products, might allow remote attackers to execute arbitrary code via a crafted PDF file that triggers a stack-based buffer overflow in the StreamPredict
nvdosv
CVE-2017-1000456P3HIGHCVSS 8.8v0.60.12018-01-02
CVE-2017-1000456 [HIGH] CWE-119 CVE-2017-1000456: freedesktop.org libpoppler 0.60.1 fails to validate boundaries in TextPool::addWord, leading to over freedesktop.org libpoppler 0.60.1 fails to validate boundaries in TextPool::addWord, leading to overflow in subsequent calculations.
nvdosv
CVE-2019-9543P3HIGHCVSS 8.8v0.74.02019-03-01
CVE-2019-9543 [HIGH] CWE-674 CVE-2019-9543: An issue was discovered in Poppler 0.74.0. A recursive function call, in JBIG2Stream::readGenericBit An issue was discovered in Poppler 0.74.0. A recursive function call, in JBIG2Stream::readGenericBitmap() located in JBIG2Stream.cc, can be triggered by sending a crafted pdf file to (for example) the pdfseparate binary. It allows an attacker to cause Denial of Service (Segmentation fault) or possibly have unspecified other impact. This is related to JA
nvd
CVE-2019-12293P3HIGHCVSS 8.8≤ 0.76.12019-05-23
CVE-2019-12293 [HIGH] CWE-125 CVE-2019-12293: In Poppler through 0.76.1, there is a heap-based buffer over-read in JPXStream::init in JPEG2000Stre In Poppler through 0.76.1, there is a heap-based buffer over-read in JPXStream::init in JPEG2000Stream.cc via data with inconsistent heights or widths.
nvdosv
CVE-2019-9631P3CRITICALCVSS 9.8v0.74.02019-03-08
CVE-2019-9631 [CRITICAL] CWE-125 CVE-2019-9631: Poppler 0.74.0 has a heap-based buffer over-read in the CairoRescaleBox.cc downsample_row_box_filter Poppler 0.74.0 has a heap-based buffer over-read in the CairoRescaleBox.cc downsample_row_box_filter function.
nvdosv
CVE-2022-38784P3HIGHCVSS 7.8≤ 22.08.02022-08-30
CVE-2022-38784 [HIGH] CVE-2022-38784: Poppler prior to and including 22.08.0 contains an integer overflow in the JBIG2 decoder (JBIG2Strea Poppler prior to and including 22.08.0 contains an integer overflow in the JBIG2 decoder (JBIG2Stream::readTextRegionSeg() in JBIGStream.cc). Processing a specially crafted PDF file or JBIG2 image could lead to a crash or the execution of arbitrary code. This is similar to the vulnerability described by CVE-2022-38171 in Xpdf.
nvdosv
CVE-2019-10872P3HIGHCVSS 8.8v0.74.02019-04-05
CVE-2019-10872 [HIGH] CWE-125 CVE-2019-10872: An issue was discovered in Poppler 0.74.0. There is a heap-based buffer over-read in the function Sp An issue was discovered in Poppler 0.74.0. There is a heap-based buffer over-read in the function Splash::blitTransparent at splash/Splash.cc.
nvdosv
CVE-2017-15565P3HIGHCVSS 8.8v0.59.02017-10-17
CVE-2017-15565 [HIGH] CWE-476 CVE-2017-15565: In Poppler 0.59.0, a NULL Pointer Dereference exists in the GfxImageColorMap::getGrayLine() function In Poppler 0.59.0, a NULL Pointer Dereference exists in the GfxImageColorMap::getGrayLine() function in GfxState.cc via a crafted PDF document.
nvdosv
CVE-2020-27778P3HIGHCVSS 7.5fixed in 0.76.0vpoppler 0.76.02020-12-03
CVE-2020-27778 [HIGH] CWE-824 CVE-2020-27778: A flaw was found in Poppler in the way certain PDF files were converted into HTML. A remote attacker A flaw was found in Poppler in the way certain PDF files were converted into HTML. A remote attacker could exploit this flaw by providing a malicious PDF file that, when processed by the 'pdftohtml' program, would crash the application causing a denial of service.
nvdosv
CVE-2010-4654P3HIGHCVSS 7.8fixed in 0.16.32019-11-13
CVE-2010-4654 [HIGH] CWE-74 CVE-2010-4654: poppler before 0.16.3 has malformed commands that may cause corruption of the internal stack. poppler before 0.16.3 has malformed commands that may cause corruption of the internal stack.
nvdosv
CVE-2020-35702P3HIGHCVSS 7.8v20.12.12020-12-25
CVE-2020-35702 [HIGH] CWE-787 CVE-2020-35702: DCTStream::getChars in DCTStream.cc in Poppler 20.12.1 has a heap-based buffer overflow via a crafte DCTStream::getChars in DCTStream.cc in Poppler 20.12.1 has a heap-based buffer overflow via a crafted PDF document. NOTE: later reports indicate that this only affects builds from Poppler git clones in late December 2020, not the 20.12.1 release. In this situation, it should NOT be considered a Poppler vulnerability. However, several third-party Open
nvdosv
CVE-2005-3192P3HIGHCVSS 7.5≥ 0, < 0.4.3-22005-12-08
CVE-2005-3192 [HIGH] CVE-2005-3192: Heap-based buffer overflow in the StreamPredictor function in Xpdf 3 Heap-based buffer overflow in the StreamPredictor function in Xpdf 3.01, as used in products such as (1) Poppler, (2) teTeX, (3) KDE kpdf, and (4) pdftohtml, (5) KOffice KWord, (6) CUPS, and (7) libextractor allows remote attackers to execute arbitrary code via a PDF file with an out-of-range numComps (number of components) field.
osv
CVE-2019-9545P3HIGHCVSS 8.8v0.74.02019-03-01
CVE-2019-9545 [HIGH] CWE-674 CVE-2019-9545: An issue was discovered in Poppler 0.74.0. A recursive function call, in JBIG2Stream::readTextRegion An issue was discovered in Poppler 0.74.0. A recursive function call, in JBIG2Stream::readTextRegion() located in JBIG2Stream.cc, can be triggered by sending a crafted pdf file to (for example) the pdfimages binary. It allows an attacker to cause Denial of Service (Segmentation fault) or possibly have unspecified other impact. This is related to JBIG2Bi
nvd
CVE-2009-1179P3MEDIUMCVSS 6.8≥ 0, < 0.10.6-12009-04-23
CVE-2009-1179 [MEDIUM] CVE-2009-1179: Integer overflow in the JBIG2 decoder in Xpdf 3 Integer overflow in the JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, Poppler before 0.10.6, and other products allows remote attackers to execute arbitrary code via a crafted PDF file.
osv
CVE-2009-0800P3MEDIUMCVSS 6.8≥ 0, < 0.10.6-12009-04-23
CVE-2009-0800 [MEDIUM] CVE-2009-0800: Multiple "input validation flaws" in the JBIG2 decoder in Xpdf 3 Multiple "input validation flaws" in the JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, Poppler before 0.10.6, and other products allow remote attackers to execute arbitrary code via a crafted PDF file.
osv
CVE-2008-1693P3MEDIUMCVSS 6.8≥ 0, < 0.6.4-12008-04-18
CVE-2008-1693 [MEDIUM] CVE-2008-1693: The CairoFont::create function in CairoFontEngine The CairoFont::create function in CairoFontEngine.cc in Poppler, possibly before 0.8.0, as used in Xpdf, Evince, ePDFview, KWord, and other applications, does not properly handle embedded fonts in PDF files, which allows remote attackers to execute arbitrary code via a crafted font object, related to dereferencing a function pointer associated with the type of this font object.
osv
Freedesktop Poppler vulnerabilities | cvebase