Main Vulnerability Database Vulnerabilities #VU16348

NULL pointer dereference in Poppler - CVE-2018-19060

Published: December 5, 2018 / Updated: December 10, 2018

Vulnerability identifier: #VU16348

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/U:Clear

CVE-ID: CVE-2018-19060

CWE-ID: CWE-476

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Freedesktop.org

Affected software:
Poppler

Detailed vulnerability description

The vulnerability allows a remote attacker to cause DoS condicion on the target system.

The vulnerability exists due to NULL pointer dereference condition in the GooString.h source code file when the filenames of embedded files are insufficiently validated before a save path is constructed. A remote attacker can trick the victim into accessing an embedded file that submits malicious input, trigger a NULL pointer dereference and cause the service to crash.

How to mitigate CVE-2018-19060

Install update from vendor's website.

Sources

https://gitlab.freedesktop.org/poppler/poppler/issues/660

NULL pointer dereference in Poppler - CVE-2018-19060

Detailed vulnerability description

How to mitigate CVE-2018-19060

Sources

Please verify you're human