CVE-2018-3836

Name of the Vulnerable Software and Affected Versions Leptonica version 1.74.4

Description An exploitable command injection issue exists in the gplotMakeOutput function. A specially crafted gplot rootname argument can cause a command injection, resulting in arbitrary code execution. An attacker can provide a malicious path as input to an application that passes attacker data to this function to trigger this issue.

Recommendations For Leptonica version 1.74.4, consider restricting the input to the gplotMakeOutput function to prevent malicious paths from being injected, until a patch is available. As a temporary workaround, validate and sanitize all user-provided input to this function to minimize the risk of exploitation.