CVE-2024-8824: 
PDF-XChange Editor vulnerability analysis and mitigation

PDF-XChange Editor contains an out-of-bounds read information disclosure vulnerability (CVE-2024-8824) in the parsing of JB2 files. The vulnerability was discovered by Rocco Calvi and reported through the Zero Day Initiative (ZDI-CAN-24262). The issue was disclosed on September 17, 2024, and affects PDF-XChange Editor installations prior to version 10.3.1.387 (ZDI Advisory).

The vulnerability stems from improper validation of user-supplied data during JB2 file parsing, which can result in a read past the end of an allocated object. The issue has been assigned a CVSS v3.1 base score of 5.5 (MEDIUM) by NIST with vector CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N, while Zero Day Initiative rates it at 3.3 (LOW) with vector CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N (NVD).

This vulnerability allows remote attackers to disclose sensitive information on affected installations of PDF-XChange Editor. The impact is limited to information disclosure, with no direct impact on system integrity or availability. An attacker could potentially leverage this vulnerability in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process (ZDI Advisory).

The vulnerability has been fixed in PDF-XChange Editor version 10.3.1.387. Users are advised to upgrade to this version or later to mitigate the risk (ZDI Advisory).