Threat Advisory: CVE-2025-43903

Overview

A significant vulnerability, identified as CVE-2025-43903, has been located in the Poppler software, specifically in the NSSCryptoSignBackend.cc component. The system fails to verify the adbe.pkcs7.sha1 signatures on documents, creating a potential risk for signature forgeries. The severity level of this vulnerability is rated as 'Medium'.

Technical Details

The weakness (CWE-347) exists within Poppler versions prior to 25.04.0. The flaw lies in the software's inability to correctly verify adbe.pkcs7.sha1 signatures on documents. This could allow an attacker to forge signatures on documents without detection. The attack complexity is low and doesn't require any special privileges or user interaction.

CVSS Metrics

The Common Vulnerability Scoring System (CVSS) provides a way to capture the principal characteristics of a vulnerability and produce a numerical score reflecting its severity. The CVSS metrics for this vulnerability are:

CVSS version: 3.1
Attack Vector: Local
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Changed
Confidentiality Impact: None
Integrity Impact: Low
Availability Impact: None
Base Score: 4.3 (Medium Severity)

Impact

If this vulnerability is exploited, it may facilitate signature forgeries on documents. While this does not compromise the confidentiality or availability of the system, it poses a significant risk to the integrity of the system and the documents it handles.

Recommendations

To mitigate this vulnerability, it is recommended to upgrade the Poppler software to version 25.04.0 or later as soon as possible. Always ensure to keep your software up-to-date to prevent exploitation of known vulnerabilities. Further information can be found at the following reference link: CWE-347

Threat Metrics

"cvss_score": 4.3 "severity": "MEDIUM" "attack_vector": "LOCAL" "attack_complexity": "LOW"

CWE-347

Corgea can help you find and fix vulnerabilities like this in your codebase. Try Corgea free today.