Risk | High |
Patch available | YES |
Number of vulnerabilities | 1 |
CVE-ID | CVE-2019-9877 |
CWE-ID | CWE-119 |
Exploitation vector | Network |
Public exploit | N/A |
Vulnerable software Subscribe |
xpdf Client/Desktop applications / Office applications |
Vendor | Glyph & Cog |
Security Bulletin
This security bulletin contains one high risk vulnerability.
EUVDB-ID: #VU36051
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-9877
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
There is an invalid memory access vulnerability in the function TextPage::findGaps() located at TextOutputDev.c in Xpdf 4.01, which can (for example) be triggered by sending a crafted pdf file to the pdftops binary. It allows an attacker to cause Denial of Service (Segmentation fault) or possibly have unspecified other impact.
MitigationInstall update from vendor's website.
Vulnerable software versionsxpdf: 4.0.1
External linkshttp://forum.xpdfreader.com/viewtopic.php?f=3&t=41265
http://research.loginsoft.com/bugs/invalid-memory-access-in-textpagefindgaps-xpdf-4-01/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website or open a file.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.