NVD Vulnerability Detail

CVE-2022-24859

Summary	PyPDF2 is an open source python PDF library capable of splitting, merging, cropping, and transforming the pages of PDF files. In versions prior to 1.27.5 an attacker who uses this vulnerability can craft a PDF which leads to an infinite loop if the PyPDF2 if the code attempts to get the content stream. The reason is that the last while-loop in `ContentStream._readInlineImage` only terminates when it finds the `EI` token, but never actually checks if the stream has already ended. This issue has been resolved in version `1.27.5`. Users unable to upgrade should validate and PDFs prior to iterating over their content stream.
Publication Date	April 19, 2022, 4:15 a.m.
Registration Date	April 19, 2022, 10 a.m.
Last Update	Nov. 21, 2024, 3:51 p.m.

Affected software configurations

Configuration1		or higher	or less	more than	less than
cpe:2.3:a:pypdf2_project:pypdf2::::::::					1.27.5

Configuration2		or higher	or less	more than	less than
cpe:2.3:o:debian:debian_linux:9.0:::::::*

Related information, measures and tools

No	URL	タグ
1	https://github.com/py-pdf/PyPDF2/issues/329	Exploit Third Party Advisory
2	https://github.com/py-pdf/PyPDF2/issues/329	Exploit Third Party Advisory
3	https://github.com/py-pdf/PyPDF2/pull/740	Patch Third Party Advisory
4	https://github.com/py-pdf/PyPDF2/pull/740	Patch Third Party Advisory
5	https://github.com/py-pdf/PyPDF2/releases/tag/1.27.5	Release Notes Third Party Advisory
6	https://github.com/py-pdf/PyPDF2/releases/tag/1.27.5	Release Notes Third Party Advisory
7	https://github.com/py-pdf/PyPDF2/security/advisories/GHSA-xcjx-m2pj-8g79	Exploit Third Party Advisory
8	https://github.com/py-pdf/PyPDF2/security/advisories/GHSA-xcjx-m2pj-8g79	Exploit Third Party Advisory
9	https://lists.debian.org/debian-lts-announce/2022/06/msg00001.html	Mailing List Third Party Advisory
10	https://lists.debian.org/debian-lts-announce/2022/06/msg00001.html	Mailing List Third Party Advisory
11	https://lists.debian.org/debian-lts-announce/2023/06/msg00013.html
12	https://lists.debian.org/debian-lts-announce/2023/06/msg00013.html

Common Vulnerabilities List

JVN Vulnerability Information

pypdf2 project の pypdf2 他複数ベンダの製品における無限ループに関する脆弱性

Title	pypdf2 project の pypdf2 他複数ベンダの製品における無限ループに関する脆弱性
Summary	pypdf2 project の pypdf2 他複数ベンダの製品には、無限ループに関する脆弱性が存在します。
Possible impacts	サービス運用妨害 (DoS) 状態にされる可能性があります。
Solution	ベンダアドバイザリまたはパッチ情報が公開されています。参考情報を参照して適切な対策を実施してください。
Publication Date	April 18, 2022, midnight
Registration Date	July 27, 2023, 5:18 p.m.
Last Update	July 27, 2023, 5:18 p.m.

Affected System

pypdf2 project

pypdf2 1.27.5 未満

Debian

Debian GNU/Linux 9.0

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2022-24859	https://www.cve.org/CVERecord?id=CVE-2022-24859
National Vulnerability Database (NVD)
2	CVE-2022-24859	https://nvd.nist.gov/vuln/detail/CVE-2022-24859

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-835	https://cwe.mitre.org/data/definitions/835.html

その他

No	Name	URL
関連文書
1	github.com (1.27.5)	https://github.com/py-pdf/PyPDF2/releases/tag/1.27.5
2	github.com (GHSA-xcjx-m2pj-8g79)	https://github.com/py-pdf/PyPDF2/security/advisories/GHSA-xcjx-m2pj-8g79
3	github.com (issues/329)	https://github.com/py-pdf/PyPDF2/issues/329
4	github.com (pull/740)	https://github.com/py-pdf/PyPDF2/pull/740
5	lists.debian.org (msg00001)	https://lists.debian.org/debian-lts-announce/2022/06/msg00001.html
6	lists.debian.org (msg00013)	https://lists.debian.org/debian-lts-announce/2023/06/msg00013.html

Change Log

No	Changed Details	Date of change
1	[2023年07月27日] 掲載	July 27, 2023, 5:18 p.m.