Wiz
Vulnerability DatabaseCVE-2021-21796

CVE-2021-21796
Nitro Pro vulnerability analysis and mitigation

Overview

CVE-2021-21796 is a use-after-free vulnerability discovered in Nitro Pro PDF, part of Nitro Software's Productivity Suite. The vulnerability was disclosed on October 13, 2021, affecting Nitro Pro versions 13.31.0.605 and 13.33.2.645. A specially crafted PDF document can trigger this vulnerability when opened by a target user (Talos Blog).

Technical details

The vulnerability exists in the JavaScript implementation of Nitro Pro PDF. When a specially crafted document is processed, an object containing the path to a document can be destroyed and later reused, resulting in a use-after-free condition. The vulnerability received a CVSS v3 score of 8.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and is classified as CWE-416 (Use After Free) (Talos Intelligence).

Impact

If successfully exploited, this vulnerability can lead to code execution under the context of the application. The high CVSS score of 8.8 indicates that the vulnerability has severe potential impacts on the confidentiality, integrity, and availability of the affected system (Talos Intelligence).

Mitigation and workarounds

Users are encouraged to update to the latest version of Nitro Pro as patches have been released to address this vulnerability. Additionally, users can mitigate the risk by disabling JavaScript functionality in the software's settings (Talos Blog).

Additional resources

SourceThis report was generated using AI

Related Nitro Pro vulnerabilities:

CVE ID

Severity

Score

Technologies

Component name

CISA KEV exploit

Has fix

Published date

CVE-2024-35288HIGH7.8
  • Nitro ProNitro Pro
  • cpe:2.3:a:gonitro:nitro_pdf_pro
NoYesOct 09, 2024
CVE-2021-21797HIGH7.8
  • Nitro ProNitro Pro
  • cpe:2.3:a:gonitro:nitro_pro
NoYesOct 18, 2021
CVE-2021-21796HIGH7.8
  • Nitro ProNitro Pro
  • cpe:2.3:a:gonitro:nitro_pro
NoYesOct 18, 2021
CVE-2021-21798HIGH7.8
  • Nitro ProNitro Pro
  • cpe:2.3:a:gonitro:nitro_pro
NoYesSep 15, 2021
CVE-2018-18689MEDIUM5.3
  • Foxit PDF ReaderFoxit PDF Reader
  • cpe:2.3:a:foxitsoftware:foxit_reader
NoYesJan 07, 2021

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

Cloud Threat Landscape

A threat intelligence database

PEACH

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management
Get a demo