CVE-2018-18020Uncontrolled Recursion in Project Qpdf

CWE-674Uncontrolled RecursionCWE-400Uncontrolled Resource Consumption13 documents8 sources
Severity
3.3LOWNVD
EPSS
0.1%
top 71.03%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Qpdf Project Qpdf
Timeline
PublishedOct 6
Latest updateMay 13

Description

In QPDF 8.2.1, in libqpdf/QPDFWriter.cc, QPDFWriter::unparseObject and QPDFWriter::unparseChild have recursive calls for a long time, which allows remote attackers to cause a denial of service via a crafted PDF file.

CVSS vector

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:LExploitability: 1.8 | Impact: 1.4

Affected Packages3 packages

Debianqpdf_project/qpdf< 9.0.0-1+3
Ubuntuqpdf_project/qpdf< 8.0.2-3ubuntu0.1+2

🔴Vulnerability Details

5
GHSA
GHSA-r676-q927-78rr: In QPDF 82022-05-13
OSV
qpdf vulnerabilities2021-08-02
OSV
qpdf vulnerabilities2021-07-29
CVEList
CVE-2018-18020: In QPDF 82018-10-06
OSV
CVE-2018-18020: In QPDF 82018-10-06

📋Vendor Advisories

4
Ubuntu
QPDF vulnerabilities2021-08-02
Ubuntu
QPDF vulnerabilities2021-07-29
Red Hat
qpdf: recursive calls can lead to a DoS in libqpdf/QPDFWriter.cc2018-10-06
Debian
CVE-2018-18020: qpdf - In QPDF 8.2.1, in libqpdf/QPDFWriter.cc, QPDFWriter::unparseObject and QPDFWrite...2018

💬Community

3
Bugzilla
CVE-2018-18020 qpdf: recursive calls can lead to a DoS in libqpdf/QPDFWriter.cc [epel-6]2018-11-05
Bugzilla
CVE-2018-18020 qpdf: recursive calls can lead to a DoS in libqpdf/QPDFWriter.cc [fedora-all]2018-11-05
Bugzilla
CVE-2018-18020 qpdf: recursive calls can lead to a DoS in libqpdf/QPDFWriter.cc2018-11-05
CVE-2018-18020 — Uncontrolled Recursion in Project Qpdf | cvebase