Nitropdf
CVE-2019-5047
HIGH
Severity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionNVD
An exploitable Use After Free vulnerability exists in the CharProcs parsing functionality of NitroPDF. A specially crafted PDF can cause a type confusion, resulting in a Use After Free. An attacker can craft a malicious PDF to trigger this vulnerability.
AnalysisAI
An exploitable Use After Free vulnerability exists in the CharProcs parsing functionality of NitroPDF. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Technical ContextAI
This vulnerability is classified as Use After Free (CWE-416), which allows attackers to access freed memory to execute arbitrary code or crash the application. An exploitable Use After Free vulnerability exists in the CharProcs parsing functionality of NitroPDF. A specially crafted PDF can cause a type confusion, resulting in a Use After Free. An attacker can craft a malicious PDF to trigger this vulnerability. Affected products include: Gonitro Nitropdf.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Use smart pointers or garbage-collected languages. Set pointers to NULL after freeing. Enable memory sanitizers.
An exploitable use-after-free vulnerability exists in the Length parsing function of NitroPDF. Rated high severity (CVSS
A specifically crafted PDF file can lead to a heap corruption when opened in NitroPDF 12.12.1.522. Rated high severity (
A specifically crafted PDF file can lead to a heap corruption when opened in NitroPDF 12.12.1.522. Rated high severity (
A specifically crafted jpeg2000 file embedded in a PDF file can lead to a heap corruption when opening a PDF document in
A specifically crafted jpeg2000 file embedded in a PDF file can lead to a heap corruption when opening a PDF document in
Same weakness CWE-416 – Use After Free
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today