CVE-2023-36810

2023-06-3019:15:09

CWE-407

GitHub_M

web.nvd.nist.gov

pypdf

pdf

library

fix

cve-2023-36810

vulnerability

upgrade

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

AI Score

6.2

Confidence

High

EPSS

0.001

Percentile

42.7%

JSON

pypdf is a pure-python PDF library capable of splitting, merging, cropping, and transforming the pages of PDF files. An attacker who uses this vulnerability can craft a PDF which leads to unexpected long runtime. This quadratic runtime blocks the current process and can utilize a single core of the CPU by 100%. It does not affect memory usage. This issue has been addressed in PR 808 and versions from 1.27.9 include this fix. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Affected configurations

Nvd

Vulners

Node

pypdf_projectpypdfRange≤1.27.8

VendorProductVersionCPE
pypdf_projectpypdf*cpe:2.3:a:pypdf_project:pypdf:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
pypdf_project	pypdf	*	cpe:2.3:a:pypdf_project:pypdf::::::::

CNA Affected

[
  {
    "vendor": "py-pdf",
    "product": "pypdf",
    "versions": [
      {
        "version": "< 1.27.9",
        "status": "affected"
      }
    ]
  }
]