CVE-2021-27906

Summary

CVE	CVE-2021-27906
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2021-03-19 16:15:00 UTC
Updated	2023-11-07 03:32:00 UTC
Description	A carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.22 and prior 2.0.x versions.

Risk And Classification

Problem Types: NVD-CWE-Other

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Apache	Pdfbox	All	All	All	All
Operating System	Fedoraproject	Fedora	32	All	All	All
Operating System	Fedoraproject	Fedora	33	All	All	All
Operating System	Fedoraproject	Fedora	34	All	All	All
Application	Oracle	Banking Corporate Lending Process Management	14.2.0	All	All	All
Application	Oracle	Banking Corporate Lending Process Management	14.3.0	All	All	All
Application	Oracle	Banking Corporate Lending Process Management	14.5.0	All	All	All
Application	Oracle	Banking Credit Facilities Process Management	14.2.0	All	All	All
Application	Oracle	Banking Credit Facilities Process Management	14.3.0	All	All	All
Application	Oracle	Banking Credit Facilities Process Management	14.5.0	All	All	All
Application	Oracle	Banking Supply Chain Finance	14.2.0	All	All	All
Application	Oracle	Banking Supply Chain Finance	14.3.0	All	All	All
Application	Oracle	Banking Supply Chain Finance	14.5.0	All	All	All
Application	Oracle	Banking Trade Finance Process Management	14.2.0	All	All	All
Application	Oracle	Banking Trade Finance Process Management	14.3.0	All	All	All
Application	Oracle	Banking Trade Finance Process Management	14.5.0	All	All	All
Application	Oracle	Banking Treasury Management	14.5	All	All	All
Application	Oracle	Banking Virtual Account Management	14.2.0	All	All	All
Application	Oracle	Banking Virtual Account Management	14.3.0	All	All	All
Application	Oracle	Banking Virtual Account Management	14.5.0	All	All	All
Operating System	Oracle	Communications Messaging Server	8.1	All	All	All
Application	Oracle	Communications Session Report Manager	All	All	All	All
Application	Oracle	Flexcube Universal Banking	14.5.0	All	All	All
Application	Oracle	Flexcube Universal Banking	All	All	All	All
Application	Oracle	Hyperion Financial Reporting	11.1.2.4	All	All	All
Application	Oracle	Hyperion Financial Reporting	11.2.6.0	All	All	All
Application	Oracle	Hyperion Infrastructure Technology	All	All	All	All
Application	Oracle	Outside In Technology	8.5.5	All	All	All
Application	Oracle	Peoplesoft Enterprise Peopletools	8.58	All	All	All
Application	Oracle	Peoplesoft Enterprise Peopletools	8.59	All	All	All
Application	Oracle	Primavera Unifier	18.8	All	All	All
Application	Oracle	Primavera Unifier	19.12	All	All	All
Application	Oracle	Primavera Unifier	20.12	All	All	All
Application	Oracle	Primavera Unifier	All	All	All	All
Application	Oracle	Retail Customer Management And Segmentation Foundation	19.0	All	All	All
Application	Oracle	Retail Xstore Point Of Service	16.0.6	All	All	All
Application	Oracle	Retail Xstore Point Of Service	17.0.4	All	All	All
Application	Oracle	Retail Xstore Point Of Service	18.0.3	All	All	All
Application	Oracle	Retail Xstore Point Of Service	19.0.2	All	All	All
Application	Oracle	Retail Xstore Point Of Service	20.0.1	All	All	All
Application	Oracle	Webcenter Sites	12.2.1.3.0	All	All	All
Application	Oracle	Webcenter Sites	12.2.1.4.0	All	All	All

References

Reference	Source	Link	Tags
[SECURITY] Fedora 32 Update: pdfbox-2.0.23-1.fc32 - package-announce - Fedora Mailing-Lists		lists.fedoraproject.org
Pony Mail!	MLIST	lists.apache.org
Pony Mail!	MLIST	lists.apache.org
Pony Mail!	MLIST	lists.apache.org
Pony Mail!	MLIST	lists.apache.org
[james-notifications] 20210501 [GitHub] [james-project] chibenwa opened a new pull request #414: [UPGRADE] Adopt Apache Tika 1.26		lists.apache.org
[pdfbox-dev] 20210518 CVE's		lists.apache.org
Pony Mail!	MLIST	lists.apache.org
[SECURITY] Fedora 33 Update: pdfbox-2.0.23-1.fc33 - package-announce - Fedora Mailing-Lists	FEDORA	lists.fedoraproject.org
Oracle Critical Patch Update Advisory - April 2022	MISC	www.oracle.com
oss-security - CVE-2021-27906: Apache PDFBox: A carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file	MLIST	www.openwall.com
[SECURITY] Fedora 33 Update: pdfbox-2.0.23-1.fc33 - package-announce - Fedora Mailing-Lists		lists.fedoraproject.org
[SECURITY] Fedora 34 Update: pdfbox-2.0.23-1.fc34 - package-announce - Fedora Mailing-Lists		lists.fedoraproject.org
[ofbiz-notifications] 20210321 [jira] [Commented] (OFBIZ-12205) Upgrade Apache PDFBox to 2.0.23 because of CVE-2021-27807 and CVE-2021-27906		lists.apache.org
[ofbiz-notifications] 20210321 [jira] [Closed] (OFBIZ-12205) Upgrade Apache PDFBox to 2.0.23 because of CVE-2021-27807 and CVE-2021-27906		lists.apache.org
Pony Mail!	MLIST	lists.apache.org
[pdfbox-dev] 20210322 OSS-Fuzz integration		lists.apache.org
Oracle Critical Patch Update Advisory - July 2021	N/A	www.oracle.com
Pony Mail!	CONFIRM	lists.apache.org
Pony Mail!	MLIST	lists.apache.org
Oracle Critical Patch Update Advisory - October 2021	MISC	www.oracle.com
[SECURITY] Fedora 34 Update: pdfbox-2.0.23-1.fc34 - package-announce - Fedora Mailing-Lists	FEDORA	lists.fedoraproject.org
[ofbiz-commits] 20210321 [ofbiz-framework] branch release17.12 updated: Fixed: Upgrade Apache PDFBox to 2.0.23 because of CVE-2021-27807 and CVE-2021-27906 (OFBIZ-12205)		lists.apache.org
[ofbiz-notifications] 20210405 [jira] [Updated] (OFBIZ-12205) Upgrade Apache PDFBox to 2.0.23 because of CVE-2021-27807 and CVE-2021-27906		lists.apache.org
[ofbiz-commits] 20210321 [ofbiz-framework] branch trunk updated: Fixed: Upgrade Apache PDFBox to 2.0.23 because of CVE-2021-27807 and CVE-2021-27906 (OFBIZ-12205)		lists.apache.org
Pony Mail!	MLIST	lists.apache.org
Pony Mail!	MLIST	lists.apache.org
[ofbiz-notifications] 20210321 [jira] [Created] (OFBIZ-12205) Upgrade Apache PDFBox to 2.0.23 because of CVE-2021-27807 and CVE-2021-27906		lists.apache.org
Pony Mail!	MLIST	lists.apache.org
[SECURITY] Fedora 32 Update: pdfbox-2.0.23-1.fc32 - package-announce - Fedora Mailing-Lists	FEDORA	lists.fedoraproject.org
Pony Mail!	MLIST	lists.apache.org
[ofbiz-commits] 20210321 [ofbiz-framework] branch release18.12 updated: Fixed: Upgrade Apache PDFBox to 2.0.23 because of CVE-2021-27807 and CVE-2021-27906 (OFBIZ-12205)		lists.apache.org
Pony Mail!	MLIST	lists.apache.org
[pdfbox-users] 20210320 CVE-2021-27906: Apache PDFBox: a carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file		lists.apache.org
Pony Mail!	MLIST	lists.apache.org
Pony Mail!	MLIST	lists.apache.org
[ofbiz-notifications] 20210321 [jira] [Updated] (OFBIZ-12205) Upgrade Apache PDFBox to 2.0.23 because of CVE-2021-27807 and CVE-2021-27906		lists.apache.org
[announce] 20210320 CVE-2021-27906: Apache PDFBox: a carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file		lists.apache.org
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

Vendor Comments And Credit

Discovery Credit

LEGACY: Apache PDFBox would like to thank Fabian Meumertzheim for reporting this issue

Legacy QID Mappings

180033 Debian Security Update for libpdfbox2-java (CVE-2021-27906)
281070 Fedora Security Update for pdfbox (FEDORA-2021-dc83ae690a)
281071 Fedora Security Update for pdfbox (FEDORA-2021-8b17a2725e)
281439 Fedora Security Update for pdfbox (FEDORA-2021-dc83ae690a)
281440 Fedora Security Update for pdfbox (FEDORA-2021-8b17a2725e)
281441 Fedora Security Update for pdfbox (FEDORA-2021-93469e0030)
375970 Oracle PeopleSoft Enterprise PeopleTools Product Multiple Vulnerabilities (CPUOCT2021)
980344 Java (maven) Security Update for org.apache.pdfbox:pdfbox (GHSA-6vqp-h455-42mr)