Upstream information

CVE-2022-24859 at MITRE

Description

PyPDF2 is an open source python PDF library capable of splitting, merging, cropping, and transforming the pages of PDF files. In versions prior to 1.27.5 an attacker who uses this vulnerability can craft a PDF which leads to an infinite loop if the PyPDF2 if the code attempts to get the content stream. The reason is that the last while-loop in `ContentStream._readInlineImage` only terminates when it finds the `EI` token, but never actually checks if the stream has already ended. This issue has been resolved in version `1.27.5`. Users unable to upgrade should validate and PDFs prior to iterating over their content stream.

SUSE information

Overall state of this security issue: Resolved

This issue is currently rated as having moderate severity.

CVSS v2 Scores
  National Vulnerability Database
Base Score 4.3
Vector AV:N/AC:M/Au:N/C:N/I:N/A:P
Access Vector Network
Access Complexity Medium
Authentication None
Confidentiality Impact None
Integrity Impact None
Availability Impact Partial
CVSS v3 Scores
  National Vulnerability Database
Base Score 6.2
Vector CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality Impact None
Integrity Impact None
Availability Impact High
CVSSv3 Version 3.1
SUSE Bugzilla entry: 1198588 [NEW]

SUSE Security Advisories:

List of released packages

Product(s) Fixed package version(s) References
SUSE Package Hub 15 SP5
  • python3-PyPDF2 >= 1.26.0-bp155.3.3.1
Patchnames:
openSUSE-2024-367
SUSE Package Hub 15 SP6
  • python3-PyPDF2 >= 1.26.0-bp156.4.3.1
Patchnames:
openSUSE-2024-366
openSUSE Leap 15.5
  • python3-PyPDF2 >= 1.26.0-bp155.3.3.1
Patchnames:
openSUSE-2024-367
openSUSE Leap 15.6
  • python3-PyPDF2 >= 1.26.0-bp156.4.3.1
Patchnames:
openSUSE-2024-366


SUSE Timeline for this CVE

CVE page created: Tue Apr 19 02:00:06 2022
CVE page last modified: Wed Nov 13 11:52:49 2024