Lucene search

KrcertCVELIST:CVE-2021-26605

HistoryAug 05, 2021 - 8:22 p.m.

CVE-2021-26605 unidocs ezPDFReader arbitrary command execution vulnerability

2021-08-0520:22:51

CWE-20

krcert

www.cve.org

cve-2021-26605

unidocs

ezpdfreader

arbitrary command execution

input validation

json-rpc communication

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

AI Score

9.8

Confidence

High

EPSS

0.002

Percentile

60.7%

JSON

An improper input validation vulnerability in the service of ezPDFReader allows attacker to execute arbitrary command. This issue occurred when the ezPDF launcher received and executed crafted input values through JSON-RPC communication.

CNA Affected

[
  {
    "platforms": [
      "Windows"
    ],
    "product": "ezPDFReader",
    "vendor": "unidocs",
    "versions": [
      {
        "status": "affected",
        "version": "2.0 ~ 3.0"
      }
    ]
  }
]

References

www.boho.or.kr/krcert/secNoticeView.do?bulletin_writing_sequence=36168

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

AI Score

9.8

Confidence

High

EPSS

0.002

Percentile

60.7%

JSON

Related for CVELIST:CVE-2021-26605