CVE-2018-1000037

Gentoo Linux Security Advisory 201811-15

Severity Score

5.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track*

*SSVC

Descriptions

In Artifex MuPDF 1.12.0 and earlier, multiple reachable assertions in the PDF parser allow an attacker to cause a denial of service (assert crash) via a crafted file.

En MuPDF 1.12.0 y anteriores, múltiples aserciones alcanzables en el analizador PDF permiten que un atacante provoque una denegación de servicio (cierre inesperado de la aserción) mediante un archivo manipulado.

Multiple vulnerabilities were discovered in MuPDF, a PDF, XPS, and e-book viewer which could result in denial of service or the execution of arbitrary code if malformed documents are opened.

*Credits: N/A

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

None

Integrity

None

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:Track*

Exploitation

Poc

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2018-02-02 CVE Reserved
2018-05-24 CVE Published
2024-08-05 CVE Updated
2024-08-05 First Exploit
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-20: Improper Input Validation

CAPEC

References (14)

URL	Tag	Source
http://git.ghostscript.com/?p=mupdf.git%3Ba=commitdiff%3Bh=71ceebcf56e682504da22c4035b39a2d451e8ffd%3Bhp=7f82c01523505052615492f8e220f4348ba46995
http://git.ghostscript.com/?p=mupdf.git%3Ba=commitdiff%3Bh=8a3257b01faa899dd9b5e35c6bb3403cd709c371%3Bhp=de39f005f12a1afc6973c1f5cec362d6545f70cb
http://git.ghostscript.com/?p=mupdf.git%3Ba=commitdiff%3Bh=b2e7d38e845c7d4922d05e6e41f3a2dc1bc1b14a%3Bhp=f51836b9732c38d945b87fda0770009a77ba680c
https://bugs.ghostscript.com/show_bug.cgi?id=698882
https://bugs.ghostscript.com/show_bug.cgi?id=698886
https://bugs.ghostscript.com/show_bug.cgi?id=698888
https://bugs.ghostscript.com/show_bug.cgi?id=698890

URL	Date	SRC
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5490	2024-08-05
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5501	2024-08-05
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5503	2024-08-05
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5511	2024-08-05
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5564	2024-08-05

URL	Date	SRC

URL	Date	SRC
https://security.gentoo.org/glsa/201811-15	2024-07-15
https://www.debian.org/security/2018/dsa-4334	2024-07-15

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Artifex Search vendor "Artifex"		Mupdf Search vendor "Artifex" for product "Mupdf"				<= 1.12.0 Search vendor "Artifex" for product "Mupdf" and version " <= 1.12.0"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0"		-		Affected