Originally published: 12/6/2019
Last updated: 12/6/2019
Nitro has released a new version of Nitro Pro, which resolves potential security vulnerabilities.
Affected Versions | Vulnerability | CVE |
---|---|---|
13.6 and prior | Heap Corruption JPEG2000 ssizDepth A vulnerability exists when opening a specially crafted malicious PDF document which can lead to heap corruption and the application crashing out. Arbitrary remote code execution has not been proven but may be possible. |
CVE-2019-5045 |
13.6 and prior | Heap Corruption JPEG2000 yTsiz A vulnerability exists when opening a specially crafted malicious PDF document which can lead to heap corruption and the application crashing out. Arbitrary remote code execution has not been proven but may be possible. |
CVE-2019-5046 |
13.6 and prior | Use After Free CharProcs A vulnerability exists when opening a specially crafted malicious PDF document which can lead to use-after-free condition and the application crashing out. |
CVE-2019-5047 |
13.6 and prior | Heap Corruption ICCBased Color Space A vulnerability exists when opening a specially crafted malicious PDF document which can lead to heap corruption and the application crashing out. Arbitrary remote code execution has not been proven but may be possible. |
CVE-2019-5048 |
13.6 and prior | Heap Corruption Page Kids A vulnerability exists when opening a specially crafted malicious PDF document which can lead to heap corruption and the application crashing out. Arbitrary remote code execution has not been proven but may be possible. |
CVE-2019-5050 |
Nitro recommends that customers who purchased through the Nitro eCommerce store update their software to the latest version below. Customers on Team plans may contact their Nitro Account Manager for access to updated installers and deployment instructions. Customers on Enterprise plans who have an assigned Customer Success Manager will receive details of updated releases that address the issues.
Updated Version | Availability |
---|---|
13.8.2.140 | Please update to the latest version of Nitro Pro 13 available here |
For more information, please contact the Nitro Security Team at security@gonitro.com
Originally published: 10/31/2019
Last updated: 12/6/2019
Nitro are actively working to address the potential vulnerabilities listed below and are targeting resolution of all issues by the end of 2019.
Affected Versions | Vulnerability | CVE |
---|---|---|
13.6 and prior | A vulnerability exists when opening a specially crafted malicious PDF document which can lead to heap corruption and the application crashing out. Arbitrary remote code execution has not been proved but may be possible. |
CVE-2019-5045 CVE-2019-5050 CVE-2019-5048 CVE-2019-5046 |
13.6 and prior | A vulnerability exists when opening a specially crafted malicious PDF document which can lead to use-after-free condition and the application crashing out. |
CVE-2019-5047 |
13.6 and prior | Use After Free Stream Length A vulnerability exists when opening a specially crafted malicious PDF document which can lead to use-after-free condition and the application crashing out. |
CVE-2019-5053 |
Originally published: 10/18/2019
Last updated: 10/18/2019
Nitro are actively working to address several recently published potential vulnerabilities. Upon being made aware of their existence, we evaluated the accuracy of the claims, assessed the severity and likelihood any exploitation, and (based on our existing proactive vulnerability analysis and handling procedures) we then put the vulnerabilities into our remediation queue.
We are taking these vulnerabilities seriously and will be addressing them in an upcoming update. For additional information, you may contact security@gonitro.com.
Originally published: 11/17/2017
Last updated: 11/17/2017
Nitro has released a new version of Nitro Pro, which resolves potential security vulnerabilities.
Affected Versions | Vulnerability | CVE |
---|---|---|
11.0.6 and prior 10.5.9.14 and prior |
A vulnerability exists in the Doc.SaveAs function which could be exploited by a specially crafted PDF file, potentially leading to a File Write taking place outside of the intended path. |
CVE-2017-7442 |
11.0.6 and prior 10.5.9.14 and prior |
A vulnerability exists in the Doc.SaveAs function which could be exploited by a specially crafted PDF file, potentially leading to a URL launch taking place in conjunction with a Security Alert. |
CVE-2017-7442 |
Nitro recommends Personal (individual) users update their software to the latest version below. Business customers may contact their Nitro Account Manager for access to any security updates and deployment instructions. Enterprise customers with a dedicated Customer Success Manager will receive details of updated releases that address the issues.
Updated Version | Availability |
---|---|
11.0.8.470 | Please update to the latest version of Nitro Pro 11 available here |
10 | Nitro is unable to fix this vulnerability in Nitro Pro 10. Please upgrade to the latest version of Nitro Pro 11 available here |
For more information, please contact the Nitro Security Team at security@gonitro.com
Originally published: 9/27/2017
Last updated: 9/27/2017
Nitro has released a new version of Nitro Pro, which resolves potential security vulnerabilities.
Affected Versions | Vulnerability | CVE |
---|---|---|
11.0.5.271 and prior 10.5.9.14 and prior |
A memory write vulnerability that could potentially be exploited when opening a specially crafted PDF file, with a specific Count field, leading to memory corruption and a crash. |
CVE Pending |
11.0.5.271 and prior 10.5.9.14 and prior |
A use-after-free vulnerability exists that could potentially be exploited when opening a specially crafted PDF file containing a malformed JPEG2000 image, leading to memory corruption and a crash. |
CVE Pending |
Nitro recommends Personal (individual) users update their software to the latest version below. Business customers may contact their Nitro Account Manager for access to any security updates and deployment instructions. Enterprise customers with a dedicated Customer Success Manager will receive details of updated releases that address the issues.
Updated Version | Availability |
---|---|
11.0.8.470 | Please update to the latest version of Nitro Pro 11 available here |
10 | Nitro is unable to fix this vulnerability in Nitro Pro 10. Please upgrade to the latest version of Nitro Pro 11 available here |
For more information, please contact the Nitro Security Team at security@gonitro.com
Originally published: 7/21/2017
Last updated: 8/25/2017
Nitro has released a new version of Nitro Pro, which resolves potential security vulnerabilities.
Affected Versions | Vulnerability | CVE |
---|---|---|
11.0.3.173 and prior 10.5.9.14 and prior |
An out of bound memory write vulnerability that could potentially be exploited when opening a specially crafted PDF file, leading to memory corruption and a crash. |
CVE-2017-2796 |
11.0.3.173 and prior 10.5.9.14 and prior |
A heap overflow vulnerability that could potentially be exploited when opening a specially crafted PCX image file, resulting in memory corruption and a crash. |
CVE-2017-7950 |
Nitro recommends Personal (individual) users update their software to the latest version, which includes fixes for these vulnerabilities. Business customers may contact their Nitro Account Manager for access to the latest version and deployment instructions. Enterprise customers with a dedicated Customer Success Manager will receive details of updated releases that address the issues.
Updated Version | Availability |
---|---|
11.0.8.470 | Please update to the latest version of Nitro Pro 11 available here |
10 | Nitro is unable to fix this vulnerability in Nitro Pro 10. Please upgrade to the latest version of Nitro Pro 11 available here |
For more information, please contact the Nitro Security Team at security@gonitro.com
Originally published: 2/3/2017
Last updated: 8/25/2017
Nitro has released a new version of Nitro Pro, which resolves potential security vulnerabilities.
Affected Versions | Vulnerability | CVE |
---|---|---|
11.0.3.134 and prior 10.5.9.9 and prior |
A specially crafted PDF file can potentially cause memory corruption leading to a crash. |
CVE-2016-8709 CVE-2016-8713 |
11.0.3.134 and prior 10.5.9.9 and prior |
A potential remote code execution vulnerability in the PDF parsing functionality of Nitro Pro. |
CVE-2016-8711 |
Nitro recommends Personal (individual) users update their software to the latest version, which includes fixes for these vulnerabilities. Business customers may contact their Nitro Account Manager for access to the latest version and deployment instructions. Enterprise customers with a dedicated Customer Success Manager will receive details of updated releases that address the issues.
Updated Version | Availability |
---|---|
11.0.8.470 | Please update to the latest version of Nitro Pro 11 available here |
10.5.9.14+ | Please update to the latest version of Nitro Pro 10 available here |
For more information, please contact the Nitro Security Team at security@gonitro.com
Policy
Nitro is proud to have required few historical Product Updates for security vulnerabilities. Keeping user information safe and secure is a top priority and a core company value for us at Nitro. We welcome the contribution of external security researchers and look forward to awarding them for their invaluable contribution to the security of all Nitro users.
Rewards
Nitro provides rewards for accepted vulnerability reports at its discretion. Our minimum reward is a $25 USD Amazon gift card. Reward amounts may vary depending upon the severity of the vulnerability reported and quality of the report. Keep in mind that this is not a contest or competition. We reserve the right to determine amount or even whether a reward should be granted.
Applications in Scope
Nitro Pro, Nitro Cloud and Nitro Admin applications are eligible for the bounty program. In addition, any cloud-based partner platform applications are also eligible (eg Nitro File Actions). We may still reward anything with significant impact across our entire security posture, so we encourage you to report such vulnerabilities via this program.
Security Vulnerability Reporting & Eligibility
All Nitro security vulnerabilities should be reported via email to the Nitro Security Team at security@gonitro.com. To promote the discovery and reporting of vulnerabilities and increase user safety, we ask that you:
We only reward the first reporter of a vulnerability. Public disclosure of the vulnerability prior to resolution may cancel a pending reward. We reserve the right to disqualify individuals from the program for disrespectful or disruptive behavior.
We will not negotiate in response to duress or threats (e.g., we will not negotiate the payout amount under threat of withholding the vulnerability or threat of releasing the vulnerability or any exposed data to the public).
Security Vulnerability Process:
(1) Nitro will acknowledge and assess any vulnerability reported according to the instructions above, typically within 7 days.
(2) When a vulnerability is confirmed, Nitro will conduct risk analysis using the Common Vulnerability Scoring System (CVSS v3) and determine the most appropriate response for Nitro customers.
(3) Nitro will design, implement & test a fix for all Critical Security Vulnerabilities, and provide a Product Update to customers, typically within 90 days.
(4) Nitro will publicly disclose all Critical Security Vulnerabilities, affected versions, and relevant details of Product Updates that address the issues, on this Nitro Security Updates page. Nitro does not publicly acknowledge individual security researchers for their submissions.
Out-of-Scope Security Vulnerabilities
The following issues are outside the scope of this policy & rewards program:
Consequences of Complying with This Policy
We will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act. To the extent your activities are inconsistent with certain restrictions in our Acceptable Use Policy, we waive those restrictions for the limited purpose of permitting security research under this policy. We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.
If legal action is initiated by a third party against you and you have complied with Nitro’s Security Vulnerability & Bug Bounty Policy, Nitro will take steps to make it known that your actions were conducted in compliance with this policy.
Please submit a report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.
The Fine Print
You are responsible for paying any taxes associated with rewards. We may modify the terms of this program or terminate this program at any time. We won’t apply any changes we make to these program terms retroactively. Reports from individuals who we are prohibited by law from paying are Ineligible for rewards. Nitro employees and their family members are not eligible for any rewards.
In order to encourage the adoption of bug bounty programs and promote uniform security best practices across the industry, Nitro reserves no rights in this bug bounty policy and so you are free to copy and modify it for your own purposes.
For more information, please contact the Nitro Security Team at security@gonitro.com