Kofax Power PDF PDF File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability
CVE-2023-42038

7.8HIGH

Key Information:

Vendor: Kofax
Status: Power PDF
Vendor: CVE Published:; 3 May 2024

What is CVE-2023-42038?

The vulnerability in Kofax Power PDF is a heap-based buffer overflow that can be exploited by remote attackers to execute arbitrary code. This occurs due to inadequate validation of user-supplied data when parsing PDF files. Specifically, the flaw allows an attacker to manipulate the length of the data before it is copied to a fixed-length heap buffer. Exploitation requires user interaction, where the victim must either visit a malicious webpage or open a compromised PDF file. Once triggered, this vulnerability could lead to unauthorized code execution in the context of the affected process, posing significant security risks.

Affected Version(s)

Power PDF 5.0.0.57 (5.0.0.10)

References

https://www.zerodayinitiative.com/advisories/ZDI-23-1394/

x_research-advisory

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 3, 2024
Vulnerability Reserved
Sep 6, 2023