CVE-2023-46250

Published: Oct 31, 2023

Modified: Sep 5, 2024

PUBLISHED

CVSS v3.1

5.1

MEDIUM

Description

pypdf is a free and open-source pure-python PDF library. An attacker who uses a vulnerability present in versions 3.7.0 through 3.16.4 can craft a PDF which leads to an infinite loop. This infinite loop blocks the current process and can utilize a single core of the CPU by 100%. It does not affect memory usage. That is, for example, the case when the pypdf-user manipulates an incoming malicious PDF e.g. by merging it with another PDF or by adding annotations. The issue was fixed in version 3.17.0. As a workaround, apply the patch manually by modifying `pypdf/generic/_data_structures.py`.

Vendor	Product	Versions
py-pdf	pypdf	affected `>= 3.7.0, < 3.17.0`

Weaknesses (CWE)

CWE-835

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Local

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

References

https://github.com/py-pdf/pypdf/security/advisories/GHSA-wjcc-cq79-p63f

x_refsource_CONFIRM

https://github.com/py-pdf/pypdf/pull/2264

x_refsource_MISC

https://github.com/py-pdf/pypdf/commit/9b23ac3c9619492570011d551d521690de9a3e2d

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2023-46250

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References