CVE-2021-21798
First published: Wed Sep 15 2021(Updated: )
An exploitable return of stack variable address vulnerability exists in the JavaScript implementation of Nitro Pro PDF. A specially crafted document can cause a stack variable to go out of scope, resulting in the application dereferencing a stale pointer. This can lead to code execution under the context of the application. An attacker can convince a user to open a document to trigger the vulnerability.
Credit: talos-cna@cisco.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Gonitro Nitro Pro | =13.31.0.605 | |
| Gonitro Nitro Pro | =13.33.2.645 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is CVE-2021-21798?
CVE-2021-21798 is a vulnerability in the JavaScript implementation of Nitro Pro PDF.
What is the severity of CVE-2021-21798?
The severity of CVE-2021-21798 is high, with a severity value of 7.8.
How does CVE-2021-21798 work?
CVE-2021-21798 is caused by a return of stack variable address vulnerability that exists in the JavaScript implementation of Nitro Pro PDF. A specially crafted document can cause a stack variable to go out of scope, resulting in the application dereferencing a stale pointer, which can lead to code execution.
Which software versions are affected by CVE-2021-21798?
CVE-2021-21798 affects Nitro Pro versions 13.31.0.605 and 13.33.2.645.
Is there a fix available for CVE-2021-21798?
At the time of this writing, there is no information available about a fix for CVE-2021-21798. It is recommended to follow the vendor's security advisories for updates.
- collector/nvd-index
- vendor/gonitro
- canonical/gonitro nitro pro
- version/gonitro nitro pro/13.31.0.605
- version/gonitro nitro pro/13.33.2.645