Vulnerability Details : CVE-2015-8868
Heap-based buffer overflow in the ExponentialFunction::ExponentialFunction function in Poppler before 0.40.0 allows remote attackers to cause a denial of service (memory corruption and crash) or possibly execute arbitrary code via an invalid blend mode in the ExtGState dictionary in a crafted PDF document.
Vulnerability category: OverflowMemory CorruptionExecute codeDenial of service
Products affected by CVE-2015-8868
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:15.10:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
- cpe:2.3:o:fedoraproject:fedora:23:*:*:*:*:*:*:*
- cpe:2.3:a:freedesktop:poppler:0.39.0:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2015-8868
3.53%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 91 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2015-8868
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
9.3
|
HIGH | AV:N/AC:M/Au:N/C:C/I:C/A:C |
8.6
|
10.0
|
NIST | |
7.8
|
HIGH | CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
1.8
|
5.9
|
NIST |
CWE ids for CVE-2015-8868
-
The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.Assigned by: nvd@nist.gov (Primary)
References for CVE-2015-8868
-
https://poppler.freedesktop.org/releases.html
Poppler
-
https://security.gentoo.org/glsa/201611-15
Poppler: Multiple vulnerabilities (GLSA 201611-15) — Gentoo security
-
http://lists.fedoraproject.org/pipermail/package-announce/2016-April/183142.html
[SECURITY] Fedora 23 Update: mingw-poppler-0.34.0-2.fc23
-
http://www.debian.org/security/2016/dsa-3563
Debian -- Security Information -- DSA-3563-1 poppler
-
http://www.ubuntu.com/usn/USN-2958-1
USN-2958-1: poppler vulnerabilities | Ubuntu security notices
-
http://www.openwall.com/lists/oss-security/2016/04/12/1
oss-security - CVE request: Poppler < 0.40.0
-
http://lists.fedoraproject.org/pipermail/package-announce/2016-April/183107.html
[SECURITY] Fedora 22 Update: mingw-poppler-0.30.0-4.fc22
-
http://www.securityfocus.com/bid/89324
Poppler CVE-2015-8868 Heap Buffer Overflow Vulnerability
-
https://cgit.freedesktop.org/poppler/poppler/commit/?id=b3425dd3261679958cd56c0f71995c15d2124433
poppler/poppler - The poppler pdf rendering library (mirrored from https://gitlab.freedesktop.org/poppler/poppler)
-
http://rhn.redhat.com/errata/RHSA-2016-2580.html
RHSA-2016:2580 - Security Advisory - Red Hat Customer Portal
-
https://bugs.freedesktop.org/show_bug.cgi?id=93476
93476 – Memory Corruption while processing Blend Mode
-
http://lists.opensuse.org/opensuse-updates/2016-06/msg00077.html
openSUSE-SU-2016:1630-1: moderate: Security update for poppler
-
http://lists.opensuse.org/opensuse-updates/2016-05/msg00068.html
openSUSE-SU-2016:1322-1: moderate: Security update for poppler
Jump to