Published: 10/04/2018 Updated: 03/10/2019

CVSS v2 Base Score: 6.8 | Impact Score: 6.4 | Exploitability Score: 8.6

CVSS v3 Base Score: 7.8 | Impact Score: 5.9 | Exploitability Score: 1.8

VMScore: 605

Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P

libqpdf.a in QPDF up to and including 8.0.2 mishandles certain "expected dictionary key but found non-name object" cases, allowing remote malicious users to cause a denial of service (stack exhaustion), related to the QPDFObjectHandle and QPDF_Dictionary classes, because nesting in direct objects is not restricted.

Vulnerable Product	Search on Vulmon	Subscribe to Product
qpdf project qpdf
canonical ubuntu linux 16.04
canonical ubuntu linux 14.04
canonical ubuntu linux 17.10

Debian Bug report logs - #895443 qpdf: CVE-2018-9918 Package: src:qpdf; Maintainer for src:qpdf is Jay Berkenbilt <qjb@debianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Wed, 11 Apr 2018 15:06:01 UTC Severity: important Tags: security, upstream Found in versions qpdf/231-4, qpdf/600-2, qpdf ...

Several security issues were fixed in QPDF ...

libqpdfa in QPDF through 802 mishandles certain "expected dictionary key but found non-name object" cases, allowing remote attackers to cause a denial of service (stack exhaustion), related to the QPDFObjectHandle and QPDF_Dictionary classes, because nesting in direct objects is not restricted ...

CWE-674 https://github.com/qpdf/qpdf/issues/202 https://github.com/qpdf/qpdf/commit/b4d6cf6836ce025ba1811b7bbec52680c7204223 https://usn.ubuntu.com/3638-1/https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=895443 https://usn.ubuntu.com/3638-1/https://nvd.nist.gov

CVE-2018-9918

Vulnerability Summary

Vendor Advisories

References

Vulmon Search

About

Products

Connect