CVE-2023-36807 — Infinite Loop in Project Pypdf2

CWE-835 — Infinite Loop5 documents4 sources

Severity

6.5MEDIUMNVD

EPSS

0.1%

top 74.55%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Pypdf2 Project Pypdf2 Debian Pypdf2 Py-pdf Pypdf +1 more

Timeline

PublishedJun 30

Description

pypdf is a pure-python PDF library capable of splitting, merging, cropping, and transforming the pages of PDF files. In version 2.10.5 an attacker who uses this vulnerability can craft a PDF which leads to an infinite loop. This infinite loop blocks the current process and can utilize a single core of the CPU by 100%. It does not affect memory usage. That is, for example, the case if the user extracted metadata from such a malformed PDF. Versions prior to 2.10.5 throw an error, but do not hang f…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages5 packages

▶debiandebian/pypdf2< pypdf2 2.10.7-1 (bookworm)

▶PyPIpypdf2_project/pypdf22.10.5 — 2.10.6

▶Debianpypdf2_project/pypdf2< 2.10.7-1

▶CVEListV5py-pdf/pypdf2.10.5

▶NVDpypdf_project/pypdf2.10.5

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

PyPDF2 vulnerable to possible Infinite Loop when reading malformed objects↗2023-06-30

▶

OSV

CVE-2023-36807: pypdf is a pure-python PDF library capable of splitting, merging, cropping, and transforming the pages of PDF files↗2023-06-30

▶

OSV

PyPDF2 vulnerable to possible Infinite Loop when reading malformed objects↗2023-06-30

▶

📋Vendor Advisories

Debian

CVE-2023-36807: pypdf2 - pypdf is a pure-python PDF library capable of splitting, merging, cropping, and ...↗2023

▶