CVE-2018-20551 :: Enginsight Vulnerability Database

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	6.5 MEDIUM	NETWORK	LOW	NONE	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 54%

Affected Products (NVD)

Vendor	Product	Version
freedesktop	poppler	0.72.0
canonical	ubuntu_linux	14.04
canonical	ubuntu_linux	16.04
canonical	ubuntu_linux	18.04
canonical	ubuntu_linux	18.10

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

poppler

bookworm	22.12.0-2 fixed
bullseye	20.09.0-3.1+deb11u1 fixed
bullseye (security)	20.09.0-3.1+deb11u1 fixed
jessie	not-affected
sid	24.08.0-3 fixed
stretch	ignored
trixie	24.08.0-3 fixed

Ubuntu Releases

Ubuntu Product

Codename

poppler

bionic	Fixed 0.62.0-2ubuntu2.7 released
cosmic	Fixed 0.68.0-0ubuntu1.5 released
trusty	dne
xenial	Fixed 0.41.0-0ubuntu1.12 released

openSUSE / SLES Releases

openSUSE Product

Release

libpoppler-cpp0

suse enterprise sap 15	0.62.0-4.6.1 fixed
suse enterprise sap 15 SP1	0.62.0-4.6.1 fixed
suse enterprise server 15	0.62.0-4.6.1 fixed
suse enterprise server 15 SP1	0.62.0-4.6.1 fixed

libpoppler-devel

suse enterprise sap 15	0.62.0-4.6.1 fixed
suse enterprise sap 15 SP1	0.62.0-4.6.1 fixed
suse enterprise server 15	0.62.0-4.6.1 fixed
suse enterprise server 15 SP1	0.62.0-4.6.1 fixed

libpoppler-glib-devel

suse enterprise sap 15	0.62.0-4.6.1 fixed
suse enterprise sap 15 SP1	0.62.0-4.6.1 fixed
suse enterprise server 15	0.62.0-4.6.1 fixed
suse enterprise server 15 SP1	0.62.0-4.6.1 fixed

libpoppler-glib8

suse enterprise sap 15	0.62.0-4.6.1 fixed
suse enterprise sap 15 SP1	0.62.0-4.6.1 fixed
suse enterprise server 15	0.62.0-4.6.1 fixed
suse enterprise server 15 SP1	0.62.0-4.6.1 fixed

libpoppler73

suse enterprise sap 15	0.62.0-4.6.1 fixed
suse enterprise sap 15 SP1	0.62.0-4.6.1 fixed
suse enterprise server 15	0.62.0-4.6.1 fixed
suse enterprise server 15 SP1	0.62.0-4.6.1 fixed

poppler-tools

suse enterprise sap 15	0.62.0-4.6.1 fixed
suse enterprise sap 15 SP1	0.62.0-4.6.1 fixed
suse enterprise server 15	0.62.0-4.6.1 fixed
suse enterprise server 15 SP1	0.62.0-4.6.1 fixed

typelib-1_0-Poppler-0_18

suse enterprise sap 15	0.62.0-4.6.1 fixed
suse enterprise sap 15 SP1	0.62.0-4.6.1 fixed
suse enterprise server 15	0.62.0-4.6.1 fixed
suse enterprise server 15 SP1	0.62.0-4.6.1 fixed

Red Hat Enterprise Linux Releases

Red Hat Product

Release

poppler

RHEL 8	0:0.66.0-11.el8_0.12 fixed
RHEL 8.0 E4S	0:0.66.0-11.el8_0.12 fixed

poppler-cpp

RHEL 8	0:0.66.0-11.el8_0.12 fixed
RHEL 8.0 E4S	0:0.66.0-11.el8_0.12 fixed

poppler-cpp-devel

RHEL 8	0:0.66.0-11.el8_0.12 fixed
RHEL 8.0 E4S	0:0.66.0-11.el8_0.12 fixed

poppler-devel

RHEL 8	0:0.66.0-11.el8_0.12 fixed
RHEL 8.0 E4S	0:0.66.0-11.el8_0.12 fixed

poppler-glib

RHEL 8	0:0.66.0-11.el8_0.12 fixed
RHEL 8.0 E4S	0:0.66.0-11.el8_0.12 fixed

poppler-glib-devel

RHEL 8	0:0.66.0-11.el8_0.12 fixed
RHEL 8.0 E4S	0:0.66.0-11.el8_0.12 fixed

poppler-qt5

RHEL 8	0:0.66.0-11.el8_0.12 fixed
RHEL 8.0 E4S	0:0.66.0-11.el8_0.12 fixed

poppler-qt5-devel

RHEL 8	0:0.66.0-11.el8_0.12 fixed
RHEL 8.0 E4S	0:0.66.0-11.el8_0.12 fixed

poppler-utils

RHEL 8	0:0.66.0-11.el8_0.12 fixed
RHEL 8.0 E4S	0:0.66.0-11.el8_0.12 fixed

Known Exploits!

Common Weakness Enumeration

CWE-20 - Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

References

https://access.redhat.com/errata/RHSA-2019:2713

https://gitlab.freedesktop.org/poppler/poppler/issues/703

https://gitlab.freedesktop.org/poppler/poppler/merge_requests/146

https://usn.ubuntu.com/3886-1/

https://access.redhat.com/errata/RHSA-2019:2713

https://gitlab.freedesktop.org/poppler/poppler/issues/703

https://gitlab.freedesktop.org/poppler/poppler/merge_requests/146

https://usn.ubuntu.com/3886-1/