Fluid Attacks Database

Description

PyPDF2 quadratic runtime with malformed PDF missing xref marker

Impact

An attacker who uses this vulnerability can craft a PDF which leads to unexpected long runtime. This quadratic runtime blocks the current process and can utilize a single core of the CPU by 100%. It does not affect memory usage.

Patches

https://github.com/py-pdf/pypdf/pull/808

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

References

PyPDF2 PR #808

PyPDF2 Issue #582

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
pypi	pypdf2	>=0 <1.27.9	1.27.9
debian 11	pypdf2	=1.26.0-4 \|\| >=0 <1.26.0-4+deb11u1	1.26.0-4+deb11u1
debian 12	pypdf2	>=0 <1.27.9-1	1.27.9-1

Aliases

1. CVE-2023-368102. NVD-2023-368103. OSV-2023-368104. OSV-DEBIAN-2023-368105. GHSA-jrm6-h9cq-8gqw6. GCVE-2023-368107. lists.debian.org8. SECURITY-TRACKER-CVE-2023-36810

References

1. https://github.com/py-pdf/pypdf/security/advisories/GHSA-jrm6-h9cq-8gqw2. https://github.com/py-pdf/pypdf/issues/5823. https://github.com/py-pdf/pypdf/pull/8084. https://github.com/py-pdf/pypdf/commit/c6c56f550bb384e05f0139c796ba1308837d6373