CVE-2023-36464

2023-06-2722:15:11

CWE-835

[email protected]

web.nvd.nist.gov

pypdf

cve-2023-36464

pdf library

security vulnerability

infinite loop

upgrade

patch

6.2 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

5.2 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

10.4%

JSON

pypdf is an open source, pure-python PDF library. In affected versions an attacker may craft a PDF which leads to an infinite loop if __parse_content_stream is executed. That is, for example, the case if the user extracted text from such a PDF. This issue was introduced in pull request #969 and resolved in pull request #1828. Users are advised to upgrade. Users unable to upgrade may modify the line while peek not in (b"\r", b"\n") in pypdf/generic/_data_structures.py to while peek not in (b"\r", b"\n", b"").

Affected configurations

Vulners

NVD

Node

py-pdfpypdfRange<3.90

py-pdfpypdfRange2.2.0≥

CPENameOperatorVersion
pypdf_project:pypdfpypdf project pypdflt3.9.0
pypdf2_project:pypdf2pypdf2 project pypdf2eq*

CPE	Name	Operator	Version
pypdf_project:pypdf	pypdf project pypdf	lt	3.9.0
pypdf2_project:pypdf2	pypdf2 project pypdf2	eq	*

CNA Affected

[
  {
    "vendor": "py-pdf",
    "product": "pypdf",
    "versions": [
      {
        "version": " pypdf: < 3.90",
        "status": "affected"
      },
      {
        "version": "PyPDF2: >= 2.2.0",
        "status": "affected"
      }
    ]
  }
]