CVE-2023-46250

pypdf is a free and open-source pure-python PDF library. An attacker who uses a vulnerability present in versions 3.7.0 through 3.16.4 can craft a PDF which leads to an infinite loop. This infinite loop blocks the current process and can utilize a single core of the CPU by 100%. It does not affect memory usage. That is, for example, the case when the pypdf-user manipulates an incoming malicious PDF e.g. by merging it with another PDF or by adding annotations. The issue was fixed in version 3.17.0. As a workaround, apply the patch manually by modifying `pypdf/generic/_data_structures.py`.
Configurations

Configuration 1 (hide)

cpe:2.3:a:pypdf_project:pypdf:*:*:*:*:*:*:*:*

History

08 Nov 2023, 17:51

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 5.5
First Time Pypdf Project pypdf
Pypdf Project
CPE cpe:2.3:a:pypdf_project:pypdf:*:*:*:*:*:*:*:*
References (MISC) https://github.com/py-pdf/pypdf/commit/9b23ac3c9619492570011d551d521690de9a3e2d - (MISC) https://github.com/py-pdf/pypdf/commit/9b23ac3c9619492570011d551d521690de9a3e2d - Patch
References (MISC) https://github.com/py-pdf/pypdf/security/advisories/GHSA-wjcc-cq79-p63f - (MISC) https://github.com/py-pdf/pypdf/security/advisories/GHSA-wjcc-cq79-p63f - Vendor Advisory
References (MISC) https://github.com/py-pdf/pypdf/pull/2264 - (MISC) https://github.com/py-pdf/pypdf/pull/2264 - Issue Tracking, Patch

31 Oct 2023, 17:07

Type Values Removed Values Added
New CVE

Information

Published : 2023-10-31 16:15

Updated : 2024-02-28 20:33


NVD link : CVE-2023-46250

Mitre link : CVE-2023-46250

CVE.ORG link : CVE-2023-46250


JSON object : View

Products Affected

pypdf_project

  • pypdf
CWE
CWE-835

Loop with Unreachable Exit Condition ('Infinite Loop')