#VU82600 Reachable Assertion in Poppler


Published: 2023-10-31

Vulnerability identifier: #VU82600

Vulnerability risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-38349

CWE-ID: CWE-617

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Poppler
Client/Desktop applications / Office applications

Vendor: Freedesktop.org

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a reachable assertion within the PDFDoc::replacePageDict() function in PDFDoc.cc. A remote attacker can trick the victim to open a specially crafted PDF file and crash the application.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Poppler: 22.01.0 - 22.08.0

External links
http://gitlab.freedesktop.org/poppler/poppler/-/issues/1282
http://gitlab.freedesktop.org/poppler/poppler/-/commit/4564a002bcb6094cc460bc0d5ddff9423fe6dd28

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Ubuntu update for poppler
Ubuntu update for poppler
SUSE update for poppler
SUSE update for poppler
SUSE update for poppler
SUSE update for poppler
SUSE update for poppler
Amazon Linux AMI update for poppler
Denial of service in Poppler
openEuler 22.03 LTS update for poppler