CVE-2023-36464 — Infinite Loop in Project Pypdf

CWE-835 — Infinite Loop6 documents5 sources

Severity

5.5MEDIUMNVD

EPSS

0.0%

top 89.24%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Pypdf2 Project Pypdf2 Pypdf Project Pypdf Debian Pypdf +2 more

Timeline

PublishedJun 27

Latest updateJun 30

Description

pypdf is an open source, pure-python PDF library. In affected versions an attacker may craft a PDF which leads to an infinite loop if `__parse_content_stream` is executed. That is, for example, the case if the user extracted text from such a PDF. This issue was introduced in pull request #969 and resolved in pull request #1828. Users are advised to upgrade. Users unable to upgrade may modify the line `while peek not in (b"\r", b"\n")` in `pypdf/generic/_data_structures.py` to `while peek not in …

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:HExploitability: 1.8 | Impact: 3.6

Affected Packages9 packages

▶debiandebian/pypdf< pypdf 3.4.1-1+deb12u1 (bookworm)

▶debiandebian/pypdf2< pypdf 3.4.1-1+deb12u1 (bookworm)

▶NVDpypdf_project/pypdf< 3.9.0

▶PyPIpypdf_project/pypdf3.1.0 — 3.9.0

▶Debianpypdf_project/pypdf< 3.4.1-1+deb12u1+2

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

pypdf and PyPDF2 possible Infinite Loop when a comment isn't followed by a character↗2023-06-30

▶

GHSA

pypdf and PyPDF2 possible Infinite Loop when a comment isn't followed by a character↗2023-06-30

▶

OSV

CVE-2023-36464: pypdf is an open source, pure-python PDF library↗2023-06-27

▶

📋Vendor Advisories

Red Hat

pypdf: Possible Infinite Loop when a comment isn't followed by a character↗2023-06-28

▶

Debian

CVE-2023-36464: pypdf - pypdf is an open source, pure-python PDF library. In affected versions an attack...↗2023

▶