The Portable Document Format (PDF) specification does not provide any information regarding the concrete procedure of how to validate signatures. Consequently, a Signature Wrapping vulnerability exists in multiple products. An attacker can use /ByteRange and xref manipulations that are not detected by the signature-validation logic. This affects Foxit Reader before 9.4 and PhantomPDF before 8.3.9 and 9.x before 9.4. It also affects eXpert PDF 12 Ultimate, Expert PDF Reader, Nitro Pro, Nitro Reader, PDF Architect 6, PDF Editor 6 Pro, PDF Experte 9 Ultimate, PDFelement6 Pro, PDF Studio Viewer 2018, PDF Studio Pro, PDF-XChange Editor and Viewer, Perfect PDF 10 Premium, Perfect PDF Reader, Soda PDF, and Soda PDF Desktop.
References
Link | Resource |
---|---|
https://pdf-insecurity.org/signature/evaluation_2018.html | Third Party Advisory |
https://pdf-insecurity.org/signature/signature.html | Third Party Advisory |
https://www.foxitsoftware.com/support/security-bulletins.php | Vendor Advisory |
https://www.pdfa.org/recently-identified-pdf-digital-signature-vulnerabilities/ | Third Party Advisory |
https://pdf-insecurity.org/signature/evaluation_2018.html | Third Party Advisory |
https://pdf-insecurity.org/signature/signature.html | Third Party Advisory |
https://www.foxitsoftware.com/support/security-bulletins.php | Vendor Advisory |
https://www.pdfa.org/recently-identified-pdf-digital-signature-vulnerabilities/ | Third Party Advisory |
Configurations
Configuration 1 (hide)
AND |
|
Configuration 2 (hide)
AND |
|
Configuration 3 (hide)
AND |
|
History
27 Nov 2024, 20:11
Type | Values Removed | Values Added |
---|---|---|
First Time |
Pdf-xchange
Pdf-xchange pdf-xchange Editor |
|
CPE | cpe:2.3:a:tracker-software:pdf-xchange_editor:7.0.237.1:*:*:*:*:*:*:* |
cpe:2.3:a:pdf-xchange:pdf-xchange_editor:7.0.237.1:*:*:*:*:*:*:* cpe:2.3:a:pdf-xchange:pdf-xchange_editor:7.0.326:*:*:*:*:*:*:* |
21 Nov 2024, 03:56
Type | Values Removed | Values Added |
---|---|---|
References | () https://pdf-insecurity.org/signature/evaluation_2018.html - Third Party Advisory | |
References | () https://pdf-insecurity.org/signature/signature.html - Third Party Advisory | |
References | () https://www.foxitsoftware.com/support/security-bulletins.php - Vendor Advisory | |
References | () https://www.pdfa.org/recently-identified-pdf-digital-signature-vulnerabilities/ - Third Party Advisory |
Information
Published : 2021-01-07 18:15
Updated : 2024-11-27 20:11
NVD link : CVE-2018-18689
Mitre link : CVE-2018-18689
CVE.ORG link : CVE-2018-18689
JSON object : View
Products Affected
avanquest
- expert_pdf_ultimate
- pdf_experte_ultimate
tracker-software
- pdf-xchange_viewer
linux
- linux_kernel
qoppa
- pdf_studio
- pdf_studio_viewer_2018
pdf-xchange
- pdf-xchange_editor
pdfforge
- pdf_architect
visagesoft
- expert_pdf_reader
microsoft
- windows
apple
- macos
gonitro
- nitro_reader
- nitro_pro
sodapdf
- soda_pdf_desktop
- soda_pdf
soft-xpansion
- perfect_pdf_10
- perfect_pdf_reader
foxitsoftware
- foxit_reader
iskysoft
- pdf_editor_6
- pdfelement6
CWE
CWE-347
Improper Verification of Cryptographic Signature