CVE-2023-36464

2023-06-2722:15:11

CWE-835

GitHub_M

web.nvd.nist.gov

pypdf

cve-2023-36464

pdf library

security vulnerability

infinite loop

upgrade

patch

CVSS3

6.2

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

5.2

Confidence

High

EPSS

0.001

Percentile

19.3%

JSON

pypdf is an open source, pure-python PDF library. In affected versions an attacker may craft a PDF which leads to an infinite loop if __parse_content_stream is executed. That is, for example, the case if the user extracted text from such a PDF. This issue was introduced in pull request #969 and resolved in pull request #1828. Users are advised to upgrade. Users unable to upgrade may modify the line while peek not in (b"\r", b"\n") in pypdf/generic/_data_structures.py to while peek not in (b"\r", b"\n", b"").

Affected configurations

Nvd

Vulners

Node

pypdf_projectpypdfRange<3.9.0

pypdf2_projectpypdf2Range2.2.0≥

VendorProductVersionCPE
pypdf_projectpypdf*cpe:2.3:a:pypdf_project:pypdf:*:*:*:*:*:*:*:*
pypdf2_projectpypdf2*cpe:2.3:a:pypdf2_project:pypdf2:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
pypdf_project	pypdf	*	cpe:2.3:a:pypdf_project:pypdf::::::::
pypdf2_project	pypdf2	*	cpe:2.3:a:pypdf2_project:pypdf2::::::::

CNA Affected

[
  {
    "vendor": "py-pdf",
    "product": "pypdf",
    "versions": [
      {
        "version": " pypdf: < 3.90",
        "status": "affected"
      },
      {
        "version": "PyPDF2: >= 2.2.0",
        "status": "affected"
      }
    ]
  }
]