CVE-2020-6116: 
Nitro Pro vulnerability analysis and mitigation

An arbitrary code execution vulnerability (CVE-2020-6116) exists in the rendering functionality of Nitro Software, Inc.'s Nitro Pro 13.13.2.242 and 13.16.2.300. The vulnerability was discovered in May 2020 and patched in September 2020. When drawing the contents of a page using colors from an indexed colorspace, the application can miscalculate the size of a buffer when allocating space for its colors, leading to potential code execution (Talos Report).

The vulnerability occurs in the rendering functionality when processing indexed colorspace data. Due to an integer overflow, the application miscalculates the size of the indexed palette, resulting in an undersized buffer allocation. When loading colors into this buffer, a heap-based buffer overflow occurs. The vulnerability has a CVSSv3 score of 8.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and is classified as CWE-680 (Integer Overflow to Buffer Overflow) (Talos Report).

If successfully exploited, this vulnerability can lead to arbitrary code execution under the context of the application. An attacker could potentially gain control of the affected system by having a victim load a specially crafted PDF document (Talos Report).

The vulnerability was patched by the vendor on September 1, 2020. Users should upgrade to a version of Nitro Pro released after this date to protect against this vulnerability (Talos Report).