// For flags

CVE-2018-14320

PoDoFo Library ParseToUnicode Memory Corruption Information Disclosure Vulnerability

Severity Score

6.5
*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations of PoDoFo. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within PdfEncoding::ParseToUnicode. The issue results from the lack of proper validation of user-supplied data, which can result in a memory corruption condition. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process. Was ZDI-CAN-5673.

Esta vulnerabilidad permite que atacantes remotos revelen información sensible en instalaciones vulnerables de PoDoFo. Se requiere de interacción del usuario para explotar esta vulnerabilidad en la que el objetivo debe visitar una página maliciosa o abrir un archivo malicioso. Este error en concreto existe en PdfEncoding::ParseToUnicode. El problema deriva de la falta de validación correcta de información proporcionada por el usuario, lo que puede dar como resultado una condición de corrupción de memoria. Un atacante podría aprovecharse de esta vulnerabilidad y otras para ejecutar código arbitrario en el contexto del actual proceso. Anteriormente era ZDI-CAN-5673.

This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations of PoDoFo Library. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within PdfEncoding::ParseToUnicode(). The issue results from the lack of proper validation of user-supplied data, which can result in a memory corruption condition. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process.

*Credits: V.E.O of Trend Micro Mobile Security Research Team
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
Attack Vector
Network
Attack Complexity
Medium
Authentication
None
Confidentiality
Partial
Integrity
None
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2018-07-16 CVE Reserved
  • 2018-09-13 CVE Published
  • 2024-08-05 CVE Updated
  • 2024-10-02 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
CAPEC
References (1)
URL Tag Source
https://zerodayinitiative.com/advisories/ZDI-18-1046 Third Party Advisory
URL Date SRC
URL Date SRC
URL Date SRC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Podofo Project
Search vendor "Podofo Project"
 Podofo
Search vendor "Podofo Project" for product "Podofo"
--
Affected