Vulnerabilities > CVE-2018-1000036 - Missing Release of Resource after Effective Lifetime vulnerability in multiple products

Attack vector

NETWORK

Attack complexity

MEDIUM

Privileges required

NONE

Confidentiality impact

NONE

Integrity impact

NONE

Availability impact

PARTIAL

network

nessus

NVD

Published: 2018-05-24

Updated: 2021-12-14

Summary

In MuPDF 1.12.0 and earlier, multiple memory leaks in the PDF parser allow an attacker to cause a denial of service (memory leak) via a crafted file.

Part	Description	Count
Application	Artifex Artifex Mupdf 0.6 Artifex Mupdf 0.7 Artifex Mupdf 0.8 Artifex Mupdf 0.8.15 Artifex Mupdf 0.8.165 Artifex Mupdf 0.9 Artifex Mupdf 0.9.1 Artifex Mupdf 1.0 Artifex Mupdf 1.1 Artifex Mupdf 1.2 Artifex Mupdf 1.3 Artifex Mupdf 1.4 Artifex Mupdf 1.5 Artifex Mupdf 1.6 Artifex Mupdf 1.7 Artifex Mupdf 1.7.1 Artifex Mupdf 1.7A Artifex Mupdf 1.8 Artifex Mupdf 1.8.1 Artifex Mupdf 1.9 Artifex Mupdf 1.9A Artifex Mupdf 1.10 Artifex Mupdf 1.10A Artifex Mupdf 1.11 Artifex Mupdf 1.12 Artifex Mupdf 1.12.0	51
OS	Debian Debian Debian Linux 9.0	1

HTTP DoS
An attacker performs flooding at the HTTP level to bring down only a particular web application rather than anything listening on a TCP/IP connection. This denial of service attack requires substantially fewer packets to be sent which makes DoS harder to detect. This is an equivalent of SYN flood in HTTP. The idea is to keep the HTTP session alive indefinitely and then repeat that hundreds of times. This attack targets resource depletion weaknesses in web server software. The web server will wait to attacker's responses on the initiated HTTP sessions while the connection threads are being exhausted.

NASL family	Gentoo Local Security Checks
NASL id	GENTOO_GLSA-201811-15.NASL
description	The remote host is affected by the vulnerability described in GLSA-201811-15 (MuPDF: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in MuPDF. Please review the CVE identifiers referenced below for details. Impact : A remote attacker, by enticing a user to process a specially crafted file, could possibly execute arbitrary code, cause a Denial of Service condition, or have other unspecified impacts. Workaround : There is no known workaround at this time.
last seen	2020-06-01
modified	2020-06-02
plugin id	119160
published	2018-11-27
reporter	This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/119160
title	GLSA-201811-15 : MuPDF: Multiple vulnerabilities