CVE-2023-36464

2023-06-2722:15:11

Google

osv.dev

pypdf pdf parsing vulnerability

open source library

infinite loop issue

software upgrade

code modification

6.2 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7 High

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

10.4%

JSON

pypdf is an open source, pure-python PDF library. In affected versions an attacker may craft a PDF which leads to an infinite loop if __parse_content_stream is executed. That is, for example, the case if the user extracted text from such a PDF. This issue was introduced in pull request #969 and resolved in pull request #1828. Users are advised to upgrade. Users unable to upgrade may modify the line while peek not in (b"\r", b"\n") in pypdf/generic/_data_structures.py to while peek not in (b"\r", b"\n", b"").

CPENameOperatorVersion
pypdfeq1.28.2
pypdfeq2.10.4
pypdfeq2.4.0
pypdfeq3.6.0
pypdfeq1.23
pypdfeq1.25
pypdfeq1.27.11
pypdfeq3.8.0
pypdfeq1.25.1
pypdfeq3.3.0