CVE-2022-37052: 
NixOS vulnerability analysis and mitigation

A reachable Object::getString assertion vulnerability was discovered in Poppler 22.07.0 that allows attackers to cause a denial of service due to a failure in markObject (NVD). The vulnerability was assigned CVE-2022-37052 and was publicly disclosed on August 22, 2023.

The vulnerability has a CVSS v3.1 Base Score of 6.5 (Medium) with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H. The issue stems from a reachable assertion in Object::getString that can be triggered through the markObject functionality. The vulnerability is classified as CWE-617 (Reachable Assertion) (NVD, Ubuntu Security).

When successfully exploited, the vulnerability allows attackers to cause a denial of service condition in applications using the affected Poppler library. The impact is limited to availability with no direct effect on confidentiality or integrity of the system (NVD).

The vulnerability has been fixed in multiple versions across different distributions. Ubuntu has released patches for various versions: Ubuntu 22.04 LTS (22.02.0-2ubuntu0.3), Ubuntu 20.04 LTS (0.86.1-0ubuntu1.4), Ubuntu 18.04 LTS (0.62.0-2ubuntu2.14+esm2), and Ubuntu 16.04 LTS (0.41.0-0ubuntu1.16+esm4). The fix is also available through Ubuntu Pro (Ubuntu Security).