CVE-2023-46250
Summary
| CVE | CVE-2023-46250 |
|---|
| State | PUBLIC |
|---|
| Assigner | [email protected] |
|---|
| Source Priority | CVE Program / NVD first with legacy fallback |
|---|
| Published | 2023-10-31 16:15:00 UTC |
|---|
| Updated | 2023-11-08 17:51:00 UTC |
|---|
| Description | pypdf is a free and open-source pure-python PDF library. An attacker who uses a vulnerability present in versions 3.7.0 through 3.16.4 can craft a PDF which leads to an infinite loop. This infinite loop blocks the current process and can utilize a single core of the CPU by 100%. It does not affect memory usage. That is, for example, the case when the pypdf-user manipulates an incoming malicious PDF e.g. by merging it with another PDF or by adding annotations. The issue was fixed in version 3.17.0. As a workaround, apply the patch manually by modifying `pypdf/generic/_data_structures.py`. |
|---|
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|
| Application |
Pypdf Project |
Pypdf |
All |
All |
All |
All |
References
| Reference | Source | Link | Tags |
|---|
| SEC: Infinite recursion when using PdfWriter(clone_from=reader) (#2264) · py-pdf/pypdf@9b23ac3 · GitHub |
MISC |
github.com |
|
| Possible Infinite Loop when PdfWriter(clone_from) is used with a PDF · Advisory · py-pdf/pypdf · GitHub |
MISC |
github.com |
|
| BUG: Infinite recursion when using PdfWriter(clone_from=reader) by Alexhuszagh · Pull Request #2264 · py-pdf/pypdf · GitHub |
MISC |
github.com |
|
| CVE Program record |
CVE.ORG |
www.cve.org |
canonical |
| NVD vulnerability detail |
NVD |
nvd.nist.gov |
canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 995796 Python (Pip) Security Update for pypdf (GHSA-wjcc-cq79-p63f)
