CVE-2017-12595 — Improper Input Validation in Project Qpdf

CWE-20 — Improper Input Validation CWE-400 — Uncontrolled Resource Consumption10 documents8 sources

Severity

7.8HIGHNVD

EPSS

2.1%

top 15.78%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Qpdf Project Qpdf

Timeline

PublishedAug 27

Latest updateMay 14

Description

The tokenizer in QPDF 6.0.0 and 7.0.b1 is recursive for arrays and dictionaries, which allows remote attackers to cause a denial of service (stack consumption and segmentation fault) or possibly have unspecified other impact via a PDF document with a deep data structure, as demonstrated by a crash in QPDFObjectHandle::parseInternal in libqpdf/QPDFObjectHandle.cc.

CVSS vector

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages2 packages

▶Debianqpdf_project/qpdf< 7.0.0-1+3

▶NVDqpdf_project/qpdf6.0.0, 7.0.b1+1

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-q7vh-x7xx-x6hx: The tokenizer in QPDF 6↗2022-05-14

▶

CVEList

CVE-2017-12595: The tokenizer in QPDF 6↗2017-08-27

▶

OSV

CVE-2017-12595: The tokenizer in QPDF 6↗2017-08-27

▶

📋Vendor Advisories

Ubuntu

QPDF vulnerabilities↗2018-05-07

▶

Red Hat

qpdf: Stack overflow when processing deeply nested arrays and dictionaries↗2017-08-22

▶

Debian

CVE-2017-12595: qpdf - The tokenizer in QPDF 6.0.0 and 7.0.b1 is recursive for arrays and dictionaries,...↗2017

▶

💬Community

Bugzilla

CVE-2017-12595 qpdf: Stack overflow when processing deeply nested arrays and dictionaries↗2017-08-28

▶

Bugzilla

CVE-2017-12595 qpdf: Stack overflow when processing deeply nested arrays and dictionaries [fedora-all]↗2017-08-28

▶

Bugzilla

CVE-2017-12595 qpdf: Stack overflow when processing deeply nested arrays and dictionaries [epel-6]↗2017-08-28

▶