CVE-2023-24808

MEDIUM Year: 2023
CVSS v3 Score
6.5
Medium
Weakness Type
CWE-835
View all →

Vulnerability Description

PDFio is a C library for reading and writing PDF files. In versions prior to 1.1.0 a denial of service (DOS) vulnerability exists in the pdfio parser. Crafted pdf files can cause the program to run at 100% utilization and never terminate. The pdf which causes this crash found in testing is about 28kb in size and was discovered via fuzzing. Anyone who uses this library either as a standalone binary or as a library can be DOSed when attempting to parse this type of file. Web servers or other automated processes which rely on this code to turn pdf submissions into plaintext can be DOSed when an attacker uploads the pdf. Please see the linked GHSA for an example pdf. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Related Vulnerabilities

CVE-2010-1282

MEDIUM
CVSS:6.5(Medium)

Adobe Shockwave Player before 11.5.7.609 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted ATOM size in a .dir (aka Director) file.

CWE-8352010

CVE-2015-5239

MEDIUM
CVSS:6.5(Medium)

Integer overflow in the VNC display driver in QEMU before 2.1.0 allows attachers to cause a denial of service (process crash) via a CLIENT_CUT_TEXT message, which triggers an infinite loop.

CWE-8352015

CVE-2015-5278

MEDIUM
CVSS:6.5(Medium)

The ne2000_receive function in hw/net/ne2000.c in QEMU before 2.4.0.1 allows attackers to cause a denial of service (infinite loop and instance crash) or possibly execute arbitrary code via vectors re...

CWE-8352015

CVE-2015-5694

MEDIUM
CVSS:6.5(Medium)

Designate does not enforce the DNS protocol limit concerning record set sizes

CWE-8352015

CVE-2015-7850

MEDIUM
CVSS:6.5(Medium)

ntpd in NTP 4.2.x before 4.2.8p4, and 4.3.x before 4.3.77 allows remote authenticated users to cause a denial of service (infinite loop or crash) by pointing the key file at the log file.

CWE-8352015