Out-of-bounds read vulnerability in JBIG2Bitmap::combine function in JBIG2Stream.cc
CVE-2024-56378

4.3MEDIUM

Key Information:

Vendor

Poppler

Vendor
CVE Published:
23 December 2024

What is CVE-2024-56378?

CVE-2024-56378 is an out-of-bounds read vulnerability found in the Poppler library, specifically within the JBIG2Bitmap::combine function. Poppler is a widely used open-source PDF rendering library that serves as a core component in several applications for rendering and manipulating PDF documents. This vulnerability could negatively impact organizations that integrate Poppler into their systems, potentially leading to information leaks or crashes due to improper handling of PDF data.

Technical Details

The vulnerability arises from an out-of-bounds read in the libpoppler.so library, which processes JBIG2-compressed images within PDFs. The issue is specifically located in the JBIG2Stream.cc file. Maliciously crafted PDF documents could exploit this flaw, leading to unexpected behaviors in applications reliant on Poppler, such as reading beyond the allocated memory. This could expose sensitive data or result in application instability.

Potential Impact of CVE-2024-56378

  1. Information Disclosure: Exploiting this vulnerability may allow attackers to read sensitive data from memory, potentially leaking confidential information processed by applications utilizing Poppler.

  2. Application Crashes: The out-of-bounds read could lead to application instability or crashes, affecting the usability of services that depend on the Poppler library for PDF rendering and manipulation.

  3. Increased Attack Surface: As this vulnerability exists in a widely adopted library, it increases the overall attack surface for organizations. Attackers may leverage this flaw as a stepping stone for further exploitation of systems that incorporate Poppler, potentially compromising wider network security.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

References

https://gitlab.freedesktop.org/poppler/poppler/-/issues/1553
https://gitlab.freedesktop.org/poppler/poppler/-/commit/a...
https://gitlab.freedesktop.org/poppler/poppler/-/blob/30e...

CVSS V3.1

Score:
4.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

JSON
.