CVE-2017-14686 - OpenCVE

Artifex MuPDF 1.11 allows attackers to execute arbitrary code or cause a denial of service via a crafted .xps file, related to a "User Mode Write AV near NULL starting at wow64!Wow64NotifyDebugger+0x000000000000001d" on Windows. This occurs because read_zip_dir_imp in fitz/unzip.c does not check whether size fields in a ZIP entry are negative numbers.

No CVSS v3.1

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:M/Au:N/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Microsoft	Windows
Artifex	Mupdf

Configuration 1 [-]

AND

cpe:2.3:a:artifex:mupdf:1.11:*:*:*:*:*:*:*

cpe:2.3:o:microsoft:windows:*:*:*:*:*:*:*:*

References

Link	Resource
http://git.ghostscript.com/?p=mupdf.git%3Bh=0f0fbc07d9be31f5e83ec5328d7311fdfd8328b1
http://www.debian.org/security/2017/dsa-4006
https://bugs.ghostscript.com/show_bug.cgi?id=698540	Exploit Third Party Advisory
https://github.com/wlinzi/security_advisories/tree/master/CVE-2017-14686	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2017-09-22T06:00:00

Updated: 2017-11-04T09:57:01

Reserved: 2017-09-22T00:00:00

Link: CVE-2017-14686

JSON object: View

NVD Information

Status : Modified

Published: 2017-09-22T06:29:00.267

Modified: 2023-11-07T02:39:09.980

Link: CVE-2017-14686

JSON object: View

Redhat Information

No data.

CWE

CWE-119

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2017-09-22T00:00:00", "descriptions": [{"lang": "en", "value": "Artifex MuPDF 1.11 allows attackers to execute arbitrary code or cause a denial of service via a crafted .xps file, related to a \"User Mode Write AV near NULL starting at wow64!Wow64NotifyDebugger+0x000000000000001d\" on Windows. This occurs because read_zip_dir_imp in fitz/unzip.c does not check whether size fields in a ZIP entry are negative numbers."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-11-04T09:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "DSA-4006", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "http://www.debian.org/security/2017/dsa-4006"}, {"tags": ["x_refsource_MISC"], "url": "http://git.ghostscript.com/?p=mupdf.git%3Bh=0f0fbc07d9be31f5e83ec5328d7311fdfd8328b1"}, {"tags": ["x_refsource_MISC"], "url": "https://bugs.ghostscript.com/show_bug.cgi?id=698540"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/wlinzi/security_advisories/tree/master/CVE-2017-14686"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2017-14686", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Artifex MuPDF 1.11 allows attackers to execute arbitrary code or cause a denial of service via a crafted .xps file, related to a \"User Mode Write AV near NULL starting at wow64!Wow64NotifyDebugger+0x000000000000001d\" on Windows. This occurs because read_zip_dir_imp in fitz/unzip.c does not check whether size fields in a ZIP entry are negative numbers."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "DSA-4006", "refsource": "DEBIAN", "url": "http://www.debian.org/security/2017/dsa-4006"}, {"name": "http://git.ghostscript.com/?p=mupdf.git;h=0f0fbc07d9be31f5e83ec5328d7311fdfd8328b1", "refsource": "MISC", "url": "http://git.ghostscript.com/?p=mupdf.git;h=0f0fbc07d9be31f5e83ec5328d7311fdfd8328b1"}, {"name": "https://bugs.ghostscript.com/show_bug.cgi?id=698540", "refsource": "MISC", "url": "https://bugs.ghostscript.com/show_bug.cgi?id=698540"}, {"name": "https://github.com/wlinzi/security_advisories/tree/master/CVE-2017-14686", "refsource": "MISC", "url": "https://github.com/wlinzi/security_advisories/tree/master/CVE-2017-14686"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2017-14686", "datePublished": "2017-09-22T06:00:00", "dateReserved": "2017-09-22T00:00:00", "dateUpdated": "2017-11-04T09:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:artifex:mupdf:1.11:*:*:*:*:*:*:*", "matchCriteriaId": "13F18A1A-67A7-471B-AD7A-29F65DF4F2BD", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:microsoft:windows:*:*:*:*:*:*:*:*", "matchCriteriaId": "2CF61F35-5905-4BA9-AD7E-7DB261D2F256", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "Artifex MuPDF 1.11 allows attackers to execute arbitrary code or cause a denial of service via a crafted .xps file, related to a \"User Mode Write AV near NULL starting at wow64!Wow64NotifyDebugger+0x000000000000001d\" on Windows. This occurs because read_zip_dir_imp in fitz/unzip.c does not check whether size fields in a ZIP entry are negative numbers."}, {"lang": "es", "value": "La versi\u00f3n 1.11 de Artifex MuPDF permite que los atacantes ejecuten c\u00f3digo arbitrario o que provoquen una denegaci\u00f3n de servicio mediante un archivo .xps manipulado, relacionado con \"User Mode Write AV comenzando en wow64!Wow64NotifyDebugger+0x000000000000001d\" en Windows. Esto ocurre porque read_zip_dir_imp en fitz/unzip.c no comprueba si los campos de tama\u00f1o en una entrada ZIP son n\u00fameros negativos."}], "id": "CVE-2017-14686", "lastModified": "2023-11-07T02:39:09.980", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-09-22T06:29:00.267", "references": [{"source": "cve@mitre.org", "url": "http://git.ghostscript.com/?p=mupdf.git%3Bh=0f0fbc07d9be31f5e83ec5328d7311fdfd8328b1"}, {"source": "cve@mitre.org", "url": "http://www.debian.org/security/2017/dsa-4006"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://bugs.ghostscript.com/show_bug.cgi?id=698540"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://github.com/wlinzi/security_advisories/tree/master/CVE-2017-14686"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-119"}], "source": "nvd@nist.gov", "type": "Primary"}]}