Researchers Aleksandar Nikolic and Cory Duplantis from Cisco Talos discovered multiple vulnerabilities including two code execution flaws and one information disclosure flaw in Nitro Pro PDF reader. Cisco Talos reported the said vulnerabilities in accordance with their disclosure policy to Nitro PDF. Thus, these issues have now been resolved and an update is made available for its affected customers.
Nitro PRO PDF Vulnerabilities Details
Nitro PRO PDF remote code execution vulnerability (CVE-2020-6074)
An exploitable code execution vulnerability is present in the Nitro Pro 220.127.116.11 version. A specific type of PDF document caused a use-after-free that lead to remote code execution. Any target who opens a malicious file could trigger this vulnerability. The severity of the vulnerability can be gauged from the fact that the CVSSv3 Score of this vulnerability was 8.8.
Nitro PRO PDF object code execution vulnerability (CVE-2020-6092)
This code execution vulnerability also exists in the Nitro Pro 18.104.22.168 version and parses Pattern objects. A malicious PDF file can trigger an integer overflow that can lead to arbitrary code execution and trigger this vulnerability.
Nitro Pro PDF information disclosure vulnerability (CVE-2020-6093)
This vulnerability exists in the XML error handling of Nitro Pro 22.214.171.124 version. A specifically created PDF document can cause uninitialized memory access, resulting in unauthorized information disclosure.
|Affected Software||Nitro PRO PDF|