CVE-2024-8839: 
PDF-XChange Editor vulnerability analysis and mitigation

CVE-2024-8839 is a vulnerability discovered in PDF-XChange Editor affecting version 10.3.0.386 and earlier. The vulnerability was identified as an Out-Of-Bounds Read Information Disclosure issue in the JB2 File Parsing functionality. The vulnerability was discovered by Rocco Calvi (@TecR0c) with TecSecurity and was publicly disclosed on September 17, 2024 (ZDI Advisory).

The vulnerability exists within the parsing of JB2 files in PDF-XChange Editor. The specific flaw stems from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated object. The vulnerability has been assigned a CVSS v3.1 base score of 5.5 MEDIUM (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N) by NIST NVD, while Zero Day Initiative rates it at 3.3 LOW (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N). The vulnerability is classified as CWE-125 (Out-of-bounds Read) (NVD).

This vulnerability allows remote attackers to disclose sensitive information on affected installations of PDF-XChange Editor. The impact is limited to information disclosure, with no direct impact on system integrity or availability. An attacker could potentially leverage this vulnerability in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process (ZDI Advisory).

The vulnerability has been fixed in PDF-XChange Editor version 10.3.1.387. Users are advised to upgrade to this version or later to mitigate the vulnerability (ZDI Advisory).