Risk | High |
Patch available | YES |
Number of vulnerabilities | 2 |
CVE-ID | CVE-2018-7247 CVE-2018-7186 |
CWE-ID | CWE-120 CWE-121 |
Exploitation vector | Network |
Public exploit | N/A |
Vulnerable software Subscribe |
Leptonica Universal components / Libraries / Libraries used by multiple products |
Vendor | DanBloomberg |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
EUVDB-ID: #VU11176
Risk: High
CVSSv3.1: 8.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-7247
CWE-ID:
CWE-120 - Buffer overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote unauthenticated attacker to execute arbitrary code on the target system.
The weakness exists in the pixHtmlViewer function due to buffer overflow. A remote attacker can trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of the vulnerability may result in system compromise.
Update to version 1.75.3.
Vulnerable software versionsLeptonica: 1.0 - 1.75.2
External linkshttp://github.com/DanBloomberg/leptonica/commit/c1079bb8e77cdd426759e466729917ca37a3ed9f
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU11175
Risk: Low
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-7186
CWE-ID:
CWE-121 - Stack-based buffer overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote unauthenticated attacker to cause DoS condition on the target system.
The weakness exists in the gplotRead and ptaReadStream functions due to stack-based buffer overflow. A remote attacker can trigger memory corruption and cause the service to crash.
Update to version 1.75.3.
Vulnerable software versionsLeptonica: 1.0 - 1.75.2
External linkshttp://github.com/DanBloomberg/leptonica/commit/ee301cb2029db8a6289c5295daa42bba7715e99a
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.