CVE-2018-11797

In Apache PDFBox 1.8.0 to 1.8.15 and 2.0.0RC1 to 2.0.11, a carefully crafted PDF file can trigger an extremely long running computation when parsing the page tree.

Published: Oct 5, 2018
Updated: Nov 8, 2023
CVE: CVE-2018-11797
GHSA: GHSA-gx96-vgf7-hwfg
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 5.5
AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

CVSS v2:

Severity: Low
Score: 4.3
AV:N/AC:M/Au:N/C:N/I:N/A:P

CWEs:

CWE-400

Affected Software
References

Software	From	Fixed in
apache / pdfbox	2.0-rc3	2.0-rc3.x
apache / pdfbox	2.0-rc2	2.0-rc2.x
apache / pdfbox	2.0-rc1	2.0-rc1.x
apache / pdfbox	1.8.0	1.8.15.x
apache / pdfbox	2.0.0	2.0.0.x
apache / pdfbox	2.0.1	2.0.11.x
fedoraproject / fedora	29	29.x
fedoraproject / fedora	30	30.x
oracle / retail_xstore_point_of_service	17.0	17.0.x
org.apache.pdfbox / pdfbox	1.8.0	1.8.16
org.apache.pdfbox / pdfbox	2.0.0	2.0.12

https://lists.apache.org/thread.html/645574bc50b886d39c20b4065d51ccb1cd5d3a6b4750a22edbb565eb@%3Cannounce.apache.org%3E
https://lists.apache.org/thread.html/645574bc50b886d39c20b4065d51ccb1cd5d3a6b4750a22edbb565eb%40%3Cannounce.apache.org%3E
https://lists.apache.org/thread.html/a9760973a873522f4d4c0a99916ceb74f361d91006b663a0a418d34a@%3Cannounce.apache.org%3E
https://lists.apache.org/thread.html/a9760973a873522f4d4c0a99916ceb74f361d91006b663a0a418d34a%40%3Cannounce.apache.org%3E
https://lists.apache.org/thread.html/r54594251369e14c185da9662a5340a52afbbdf75d61c9c3a69c8f2e8@%3Cdev.pdfbox.apache.org%3E
https://lists.apache.org/thread.html/r54594251369e14c185da9662a5340a52afbbdf75d61c9c3a69c8f2e8%40%3Cdev.pdfbox.apache.org%3E
https://lists.debian.org/debian-lts-announce/2018/10/msg00008.html
https://lists.fedoraproject.org/archives/list/[email protected]/message/6HKVPTJWZGUB4MH4AAOWMRJHRDBYFHGJ/
https://lists.fedoraproject.org/archives/list/[email protected]/message/POPOGHJ5CVMUVCRQU7APBAN5IVZGZFDX/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6HKVPTJWZGUB4MH4AAOWMRJHRDBYFHGJ/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/POPOGHJ5CVMUVCRQU7APBAN5IVZGZFDX/
https://www.oracle.com/security-alerts/cpuapr2020.html

Vulnerability Database

289,599

CVE-2018-11797