GHSA-jrm6-h9cq-8gqw

Опубликовано: 30 июн. 2023

Источник: github

Github: Прошло ревью

CVSS3: 6.2

Описание

PyPDF2 quadratic runtime with malformed PDF missing xref marker

Impact

An attacker who uses this vulnerability can craft a PDF which leads to unexpected long runtime. This quadratic runtime blocks the current process and can utilize a single core of the CPU by 100%. It does not affect memory usage.

Patches

https://github.com/py-pdf/pypdf/pull/808

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

References

Ссылки

Пакеты

Наименование

PyPDF2

pip

Затронутые версииВерсия исправления

<= 1.27.8

1.27.9

EPSS

Процентиль: 32%

0.00123

Низкий

6.2 Medium

CVSS3

CVE ID

CVE-2023-36810

Дефекты

CWE-407

Связанные уязвимости

CVE-2023-36810

CVSS3: 6.2

ubuntu

больше 2 лет назад

pypdf is a pure-python PDF library capable of splitting, merging, cropping, and transforming the pages of PDF files. An attacker who uses this vulnerability can craft a PDF which leads to unexpected long runtime. This quadratic runtime blocks the current process and can utilize a single core of the CPU by 100%. It does not affect memory usage. This issue has been addressed in PR 808 and versions from 1.27.9 include this fix. Users are advised to upgrade. There are no known workarounds for this vulnerability.

CVE-2023-36810

CVSS3: 6.2

nvd

больше 2 лет назад

CVE-2023-36810

CVSS3: 6.2

debian

больше 2 лет назад

pypdf is a pure-python PDF library capable of splitting, merging, crop ...

BDU:2023-07658

CVSS3: 6.5

fstec

около 5 лет назад

Уязвимость библиотеки для обработки PDF PyPDF2, связанная с алгоритмической сложностью, позволяющая нарушителю вызвать отказ в обслуживании

EPSS

Процентиль: 32%

0.00123

Низкий

6.2 Medium

CVSS3

CVE ID

CVE-2023-36810

Дефекты

CWE-407