Apache PDFbox up to 2.0.23 PDF File infinite loop

A vulnerability, which was classified as problematic, was found in Apache PDFbox up to 2.0.23. This affects some unknown processing of the component PDF File Handler. There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.

Base Score: 5.5 | Impact Score: 3.6 | Exploitability Score: 1.8 
CVSS Vector- CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack. The vulnerability exists due to infinite loop when processing PDF files. A remote attacker can consume all available system resources and cause denial of service conditions.

Vulnerable software versions

PDFBox: 2.0, 2.0.0, 2.0.0 RC1, 2.0.0 RC2, 2.0.0 RC3, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7, 2.0.8, 2.0.9, 2.0.10, 2.0.11, 2.0.12, 2.0.13, 2.0.14, 2.0.15, 2.0.16, 2.0.17, 2.0.18, 2.0.19, 2.0.20, 2.0.21, 2.0.22, 2.0.23

Basic Matrices

Attack Vector: Local
Attack Complexity: Low
Privileges Required: None
User Interaction: Required
Scope:  Unchanged
Exploitation vector Network
Public exploit N/A
Vulnerable software PDFBox
Vendor Apache Foundation

CIA Impact 

Confidentiality Impact: None
Integrity Impact: None
Availability Impact: HIGH
Risk: Medium

  Mitigation

Install updates from vendor’s website.

Common Vulnerabilityies and Exposures

Contact us to get started

CVE-2022-45884 : LINUX KERNEL UP TO 6.0.9 DVBDEV.C DVB_REGISTER_DEVICE USE AFTER FREE

CVE-2022-45884 : LINUX KERNEL UP TO 6.0.9 DVBDEV.C DVB_REGISTER_DEVICE USE AFTER FREE

Description An issue was discovered in the Linux kernel through 6.0.9. drivers/media/dvb-core/dvbdev.c has a use-after-free, related to dvb_register_device dynamically allocating

CVE-2022-41875 : OPTICA UP TO 0.10.1 JSON OJ.SAFE_LOAD DESERIALIZATION

CVE-2022-41875 : OPTICA UP TO 0.10.1 JSON OJ.SAFE_LOAD DESERIALIZATION

Description A remote code execution (RCE) vulnerability in Optica allows unauthenticated attackers to execute arbitrary code via specially crafted JSON

CVE-2022-3910 : LINUX KERNEL LOCAL PRIVILEGE IO_URING USE AFTER FREE

CVE-2022-3910 : LINUX KERNEL LOCAL PRIVILEGE IO_URING USE AFTER FREE

Description Use After Free vulnerability in Linux Kernel allows Privilege Escalation. An improper Update of Reference Count in io_uring leads