CVE-2023-36810

Exploit

EPSS 0.12%
Published 30.06.2023 19:15:09
Last modified 21.11.2024 08:10:38
Source security-advisories@github.com
Teams watchlist Login
Open Login

pypdf is a pure-python PDF library capable of splitting, merging, cropping, and transforming the pages of PDF files. An attacker who uses this vulnerability can craft a PDF which leads to unexpected long runtime. This quadratic runtime blocks the current process and can utilize a single core of the CPU by 100%. It does not affect memory usage. This issue has been addressed in PR 808 and versions from 1.27.9 include this fix. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Affected products Warnungen 0 Metrics 3 CWE 1 References 7

Data is provided by the National Vulnerability Database (NVD)

Pypdf Project ≫ Pypdf Version <= 1.27.8

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.12%	0.322

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	6.5	2.8	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
security-advisories@github.com	6.2	2.5	3.6	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-407 Inefficient Algorithmic Complexity

An algorithm in a product has an inefficient worst-case computational complexity that may be detrimental to system performance and can be triggered by an attacker, typically using crafted manipulations that ensure that the worst case is being reached.

https://github.com/py-pdf/pypdf/issues/582

Vendor Advisory

Exploit

Issue Tracking

https://github.com/py-pdf/pypdf/pull/808

Patch

https://github.com/py-pdf/pypdf/security/advisories/GHSA-jrm6-h9cq-8gqw

Patch

Vendor Advisory

Exploit

https://lists.debian.org/debian-lts-announce/2023/07/msg00019.html

https://nvd.nist.gov/vuln/detail/CVE-2023-36810

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-36810

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-36810

EUVD