A reachable Object::dictLookup assertion in Poppler 0.72.0 allows attackers to cause a denial of service due to the lack of a check for the dict data type, as demonstrated by use of the FileSpec class (in FileSpec.cc) in pdfdetach.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

AV:N/AC:M/Au:N/C:N/I:N/A:P
Vendors Products
Redhat
  • Enterprise Linux
  • Enterprise Linux Server Aus
  • Enterprise Linux Server Tus
  • Enterprise Linux Desktop
  • Enterprise Linux Workstation
  • Enterprise Linux Server
  • Enterprise Linux Eus
Canonical
  • Ubuntu Linux
Debian
  • Debian Linux
Freedesktop
  • Poppler

Configuration 1 [-]

cpe:2.3:a:freedesktop:poppler:0.72.0:*:*:*:*:*:*:*

Configuration 2 [-]

OR cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:18.10:*:*:*:*:*:*:*

Configuration 3 [-]

OR cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

Configuration 4 [-]

OR cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_eus:8.1:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_eus:8.2:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_eus:8.4:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_eus:8.6:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_aus:8.2:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_aus:8.4:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_aus:8.6:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_tus:8.2:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_tus:8.4:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_tus:8.6:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*
References
Link Resource
http://www.securityfocus.com/bid/106459 Third Party Advisory VDB Entry
https://access.redhat.com/errata/RHSA-2019:2022 Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:2713 Third Party Advisory
https://gitlab.freedesktop.org/poppler/poppler/commit/de0c0b8324e776f0b851485e0fc9622fc35695b7 Patch Third Party Advisory
https://gitlab.freedesktop.org/poppler/poppler/issues/704 Issue Tracking Patch Third Party Advisory
https://lists.debian.org/debian-lts-announce/2019/09/msg00033.html Mailing List Third Party Advisory
https://lists.debian.org/debian-lts-announce/2020/11/msg00014.html Mailing List Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/09/msg00030.html Mailing List Third Party Advisory
https://usn.ubuntu.com/3865-1/ Third Party Advisory
History

No history.

cve-icon MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2019-01-01T16:00:00

Updated: 2022-09-26T01:06:24

Reserved: 2019-01-01T00:00:00

Link: CVE-2018-20650

JSON object: View

cve-icon NVD Information

Status : Analyzed

Published: 2019-01-01T16:29:00.233

Modified: 2023-02-11T18:12:18.067

Link: CVE-2018-20650

JSON object: View

cve-icon Redhat Information

No data.

CWE