CVE-2020-35702: Buffer Overflow
First published: Fri Dec 25 2020(Updated: )
** DISPUTED ** DCTStream::getChars in DCTStream.cc in Poppler 20.12.1 has a heap-based buffer overflow via a crafted PDF document. NOTE: later reports indicate that this only affects builds from Poppler git clones in late December 2020, not the 20.12.1 release. In this situation, it should NOT be considered a Poppler vulnerability. However, several third-party Open Source projects directly rely on Poppler git clones made at arbitrary times, and therefore the CVE remains useful to users of those projects.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| freedesktop poppler | =20.12.1 | |
| =20.12.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2020-35702?
CVE-2020-35702 is a vulnerability in Poppler 20.12.1 that allows a crafted PDF document to cause a heap-based buffer overflow in the DCTStream::getChars function in DCTStream.cc.
How severe is CVE-2020-35702?
CVE-2020-35702 has a severity rating of 7.8 (high).
Which software versions are affected by CVE-2020-35702?
Poppler 20.12.1 is affected by CVE-2020-35702.
How can CVE-2020-35702 be exploited?
CVE-2020-35702 can be exploited by using a crafted PDF document.
Is there a fix available for CVE-2020-35702?
The fix for CVE-2020-35702 is available in later builds of Poppler git clones from late December 2020.
- collector/nvd-index
- agent/type
- agent/first-publish-date
- agent/severity
- agent/weakness
- agent/references
- agent/author
- agent/status
- agent/softwarecombine
- agent/description
- agent/event
- agent/tags
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/last-modified-date
- collector/mitre-cve
- source/MITRE
- status/disputed
- vendor/freedesktop
- canonical/freedesktop poppler
- version/freedesktop poppler/20.12.1