A vulnerability has been found in Foxit PhantomPDF and classified as critical. This vulnerability affects some unknown functionality of the component DXF File Handler. The manipulation with an unknown input leads to a out-of-bounds write vulnerability. The CWE definition for the vulnerability is CWE-787. The product writes data past the end, or before the beginning, of the intended buffer. As an impact it is known to affect confidentiality, integrity, and availability. CVE summarizes:

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PhantomPDF 9.6.0.25114. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the conversion of DXF files to PDF. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-9276.

The weakness was disclosed 10/25/2019. This vulnerability was named CVE-2019-17145 since 10/04/2019. The attack can be initiated remotely. No form of authentication is required for a successful exploitation. The technical details are unknown and an exploit is not available.

Upgrading to version 9.6.0.25114 eliminates this vulnerability.

The entries 144201, 144200, 144199 and 144198 are pretty similar.

Productinfo

Vendor

• Foxit

Name

• PhantomPDF

License

• free

CPE 2.3info

• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion