CVE-2023-36810 — Inefficient Algorithmic Complexity in Pypdf

CWE-407 — Inefficient Algorithmic Complexity6 documents5 sources

Severity

6.5MEDIUMNVD

EPSS

0.2%

top 64.08%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Py-pdf Pypdf Pypdf2 Project Pypdf2 Debian Pypdf2 +1 more

Timeline

PublishedJun 30

Latest updateAug 10

Description

pypdf is a pure-python PDF library capable of splitting, merging, cropping, and transforming the pages of PDF files. An attacker who uses this vulnerability can craft a PDF which leads to unexpected long runtime. This quadratic runtime blocks the current process and can utilize a single core of the CPU by 100%. It does not affect memory usage. This issue has been addressed in PR 808 and versions from 1.27.9 include this fix. Users are advised to upgrade. There are no known workarounds for this v…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages5 packages

▶CVEListV5py-pdf/pypdf< 1.27.9

▶debiandebian/pypdf2< pypdf2 1.27.9-1 (bookworm)

▶PyPIpypdf2_project/pypdf2< 1.27.9

▶Debianpypdf2_project/pypdf2< 1.26.0-4+deb11u1+1

▶NVDpypdf_project/pypdf1.27.8

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

CVE-2023-36810: pypdf is a pure-python PDF library capable of splitting, merging, cropping, and transforming the pages of PDF files↗2023-06-30

▶

GHSA

PyPDF2 quadratic runtime with malformed PDF missing xref marker↗2023-06-30

▶

OSV

PyPDF2 quadratic runtime with malformed PDF missing xref marker↗2023-06-30

▶

📋Vendor Advisories

Ubuntu

PyPDF2 vulnerability↗2023-08-10

▶

Debian

CVE-2023-36810: pypdf2 - pypdf is a pure-python PDF library capable of splitting, merging, cropping, and ...↗2023

▶