CVE-2010-3702
HIGH severity · CVSS 7.5 · CWE-476
7.5CVSS HIGH
Summary
The Gfx::getPos function in the PDF parser in xpdf before 3.02pl5, poppler 0.8.7 and possibly other versions up to 0.15.1, CUPS, kdegraphics, and possibly other products allows context-dependent attackers to cause a denial of service (crash) via unknown vectors that trigger an uninitialized pointer dereference.
Impact & exploitability
Attack vectorNetwork
Attack complexityLow
Privileges required—
User interaction—
Confidentiality impact—
Integrity impact—
Availability impact—
Exploit probability (EPSS)3%
AV:N/AC:L/Au:N/C:P/I:P/A:P
Affected products we track (2)
Recommendation
Apply the vendor fix promptly. Open any affected product above for its exact safe version.
Official patch: http://cgit.freedesktop.org/poppler/poppler/commit/?id=e853106b58d6b4b0467dbd6436c9bb1cfbd372cf ↗
Additional information
- NVD record
- http://cgit.freedesktop.org/poppler/poppler/commit/?id=e853106b58d6b4b0467dbd6436c9bb1cfbd372cfPatch
- ftp://ftp.foolabs.com/pub/xpdf/xpdf-3.02pl5.patch
- http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050268.htmlAdvisory
- http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050285.htmlAdvisory
- http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050390.htmlAdvisory
- http://lists.fedoraproject.org/pipermail/package-announce/2010-October/049392.htmlAdvisory
- http://lists.fedoraproject.org/pipermail/package-announce/2010-October/049523.htmlAdvisory
- http://lists.fedoraproject.org/pipermail/package-announce/2010-October/049545.htmlAdvisory