Nitro Pro PDF JavaScript document.flattenPages vulnerability [CVE-2021-21798]
CVE number = CVE-2021-21798
An exploitable return of stack variable address vulnerability exists in the JavaScript implementation of Nitro Pro PDF. A specially crafted document can cause a stack variable to go out of scope, resulting in the application dereferencing a stale pointer. This can lead to code execution under the context of the application. An attacker can convince a user to open a document to trigger the vulnerability.
Affected Versions
Nitro Pro 13.31.0.605
Nitro Pro 13.33.2.645
Mitigation
To mitigate this vulnerability, one can visit the “JavaScript” item in the preferences and click the “Disable JavaScript” checkbox. As this vulnerability depends on the execution of JavaScript, enabling this option will prevent the vulnerability from being triggered.
You can read more on this vulnerability here – https://talosintelligence.com/vulnerability_reports/TALOS-2021-1267
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.