logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2023-36807 pypdf2

Package

Manager: pip
Name: pypdf2
Vulnerable Version: =2.10.5 || >=2.10.5 <2.10.6

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00219 pctl0.44482

Details

PyPDF2 vulnerable to possible Infinite Loop when reading malformed objects ### Impact An attacker who uses this vulnerability can craft a PDF which leads to an infinite loop. This infinite loop blocks the current process and can utilize a single core of the CPU by 100%. It does not affect memory usage. That is, for example, the case if the user extracted metadata from such a malformed PDF. ### Patches The issue was fixed with https://github.com/py-pdf/pypdf/pull/1331 ### Workarounds If you cannot update your version of `PyPDF2` (preferably to `pypdf>3.1.0` as PyPDF2 is deprecated), you should modify `PyPDF2/generic/_data_structures.py::read_object`. Replace: ```python else: # number object OR indirect reference peek = stream.read(20) stream.seek(-len(peek), 1) # reset to start if IndirectPattern.match(peek) is not None: return IndirectObject.read_from_stream(stream, pdf) else: return NumberObject.read_from_stream(stream) ``` by ```python elif tok in b"0123456789+-.": # number object OR indirect reference peek = stream.read(20) stream.seek(-len(peek), 1) # reset to start if IndirectPattern.match(peek) is not None: return IndirectObject.read_from_stream(stream, pdf) else: return NumberObject.read_from_stream(stream) else: raise PdfReadError( f"Invalid Elementary Object starting with {tok} @{stream.tell()}" ) ``` ### References * [pypdf issue #1329](https://github.com/py-pdf/pypdf/issues/1329) * [pypdf PR #1331](https://github.com/py-pdf/pypdf/pull/1331)

Metadata

Created: 2023-06-30T22:19:39Z
Modified: 2023-06-30T22:19:39Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/06/GHSA-hm9v-vj3r-r55m/GHSA-hm9v-vj3r-r55m.json
CWE IDs: ["CWE-835"]
Alternative ID: GHSA-hm9v-vj3r-r55m
Finding: F138
Auto approve: 1