PT-2021-8830 · Qoppa+6 · Pdf Studio Pro+10

Published

2021-01-07

·

Updated

2024-11-27

·

CVE-2018-18689

CVSS v3.1

5.3

Medium

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Name of the Vulnerable Software and Affected Versions Foxit Reader versions prior to 9.4 PhantomPDF versions prior to 8.3.9 and 9.x prior to 9.4 eXpert PDF 12 Ultimate (affected versions not specified) Expert PDF Reader (affected versions not specified) Nitro Pro (affected versions not specified) Nitro Reader (affected versions not specified) PDF Architect 6 (affected versions not specified) PDF Editor 6 Pro (affected versions not specified) PDF Experte 9 Ultimate (affected versions not specified) PDFelement6 Pro (affected versions not specified) PDF Studio Viewer 2018 (affected versions not specified) PDF Studio Pro (affected versions not specified) PDF-XChange Editor and Viewer (affected versions not specified) Perfect PDF 10 Premium (affected versions not specified) Perfect PDF Reader (affected versions not specified) Soda PDF (affected versions not specified) Soda PDF Desktop (affected versions not specified)
Description The Portable Document Format (PDF) specification does not provide any information regarding the concrete procedure of how to validate signatures. Consequently, a Signature Wrapping vulnerability exists in multiple products. An attacker can use /ByteRange and xref manipulations that are not detected by the signature-validation logic.
Recommendations For Foxit Reader versions prior to 9.4, update to version 9.4 or later. For PhantomPDF versions prior to 8.3.9 and 9.x prior to 9.4, update to version 8.3.9 or 9.4 or later. For eXpert PDF 12 Ultimate, Expert PDF Reader, Nitro Pro, Nitro Reader, PDF Architect 6, PDF Editor 6 Pro, PDF Experte 9 Ultimate, PDFelement6 Pro, PDF Studio Viewer 2018, PDF Studio Pro, PDF-XChange Editor and Viewer, Perfect PDF 10 Premium, Perfect PDF Reader, Soda PDF, and Soda PDF Desktop, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

Improper Verification of Cryptographic Signature

Weakness Enumeration

CWE-347

Related Identifiers

CVE-2018-18689

Affected Products

Foxit Reader
Nitro Pro
Nitro Reader
Pdf Architect 6
Pdf Studio Pro
Pdf Studio Viewer 2018
Pdf-Xchange Editor/Viewer
Pdfelement6 Pro
Phantompdf
Soda Pdf
Soda Pdf Desktop