Home News Nitro Pro PDF Reader Plagued with Multiple Vulnerabilities

Nitro Pro PDF Reader Plagued with Multiple Vulnerabilities

actively exploited vulnerabilities, Vulnerabilities, risk-based vulnerability management

Researchers Aleksandar Nikolic and Cory Duplantis from Cisco Talos discovered multiple vulnerabilities including two code execution flaws and one information disclosure flaw in Nitro Pro PDF reader. Cisco Talos reported the said vulnerabilities in accordance with their disclosure policy to Nitro PDF. Thus, these issues have now been resolved and an update is made available for its affected customers.

Nitro PRO PDF Vulnerabilities Details

Nitro PRO PDF remote code execution vulnerability (CVE-2020-6074)
An exploitable code execution vulnerability is present in the Nitro Pro 13.9.1.155 version. A specific type of PDF document caused a use-after-free that lead to remote code execution. Any target who opens a malicious file could trigger this vulnerability. The severity of the vulnerability can be gauged from the fact that the CVSSv3 Score of this vulnerability was 8.8.

Nitro PRO PDF object code execution vulnerability (CVE-2020-6092)
This code execution vulnerability also exists in the Nitro Pro 13.9.1.155 version and parses Pattern objects.  A malicious PDF file can trigger an integer overflow that can lead to arbitrary code execution and trigger this vulnerability.

Nitro Pro PDF information disclosure vulnerability (CVE-2020-6093)
This vulnerability exists in the XML error handling of Nitro Pro 13.9.1.155 version. A specifically created PDF document can cause uninitialized memory access, resulting in unauthorized information disclosure.

Vulnerabilities Summary
Vulnerability Names
  • Nested pages remote code execution vulnerability
  • Pattern object code execution vulnerability
  • Javascript XML error handling information disclosure vulnerability
CVE Numbers
  • CVE-2020-6074
  • CVE-2020-6092
  • CVE-2020-6093
Affected Software Nitro PRO PDF
Affected Version 13.9.1.155
Vulnerability Timeline
  • 2020-02-19 – Vendor Disclosure
  • 2020-05-18 – Public Release