CVE Vulnerabilities

CVE-2021-27906

Memory Allocation with Excessive Size Value

Published: Mar 19, 2021 | Modified: Nov 21, 2024
CVSS 3.x
5.5
MEDIUM
Source:
NVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
CVSS 2.x
4.3 MEDIUM
AV:N/AC:M/Au:N/C:N/I:N/A:P
RedHat/V2
RedHat/V3
5.5 LOW
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Ubuntu
MEDIUM

A carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.22 and prior 2.0.x versions.

Weakness

The product allocates memory based on an untrusted, large size value, but it does not ensure that the size is within expected limits, allowing arbitrary amounts of memory to be allocated.

Affected Software

Name Vendor Start Version End Version
Pdfbox Apache 2.0.0 (including) 2.0.22 (including)
Red Hat Fuse 7.9 RedHat pdfbox *
Red Hat Integration RedHat pdfbox *
Libpdfbox-java Ubuntu bionic *
Libpdfbox-java Ubuntu groovy *
Libpdfbox-java Ubuntu hirsute *
Libpdfbox-java Ubuntu impish *
Libpdfbox-java Ubuntu kinetic *
Libpdfbox-java Ubuntu lunar *
Libpdfbox-java Ubuntu mantic *
Libpdfbox-java Ubuntu trusty *
Libpdfbox-java Ubuntu xenial *
Libpdfbox2-java Ubuntu bionic *
Libpdfbox2-java Ubuntu esm-apps/bionic *
Libpdfbox2-java Ubuntu esm-apps/focal *
Libpdfbox2-java Ubuntu focal *
Libpdfbox2-java Ubuntu groovy *
Libpdfbox2-java Ubuntu hirsute *
Libpdfbox2-java Ubuntu impish *
Libpdfbox2-java Ubuntu kinetic *
Libpdfbox2-java Ubuntu lunar *
Libpdfbox2-java Ubuntu mantic *
Libpdfbox2-java Ubuntu trusty *

Potential Mitigations

References