Versio.io

CVE-2022-24859

Common vulnerabilities & exposures (CVE)

CVE databaseCVE database blogpostRelease & EoL database
 
Published at: - 18-04-2022 09:15
Last modified: - 15-06-2022 05:02
Total changes: - 5

Description

PyPDF2 is an open source python PDF library capable of splitting, merging, cropping, and transforming the pages of PDF files. In versions prior to 1.27.5 an attacker who uses this vulnerability can craft a PDF which leads to an infinite loop if the PyPDF2 if the code attempts to get the content stream. The reason is that the last while-loop in `ContentStream._readInlineImage` only terminates when it finds the `EI` token, but never actually checks if the stream has already ended. This issue has been resolved in version `1.27.5`. Users unable to upgrade should validate and PDFs prior to iterating over their content stream.

Common Vulnerability Scoring System (CVSS)

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Low
Attack complexity
Local
Attack vector
High
Availability
None
Confidentiality
None
Integrity
None
Privileges required
Unchanged
Scope
Required
User interaction
5.5
Base score
1.8
3.6
Exploitability score
Impact score
 

Verification logic

OR
OR
vendor=pypdf2_project AND product=pypdf2 AND versionEndExcluding=1.27.5
OR
vendor=Debian AND product=debian_linux AND version=9.0
 

Reference

 


Keywords

NVD

 

CVE-2022-24859

 

CVE

 

Common vulnerabilities & exposures

 

CVSS

 

Common vulnerability scoring system

 

Security

 

Vulnerabilities

 

Exposures

 

We use cookies to ensure that we give you the best experience on our website. Read privacy policies for more information.