CVE-2021-31812: A carefully crafted PDF file can trigger an infinite loop while loading the file
First published: Sat Jun 12 2021(Updated: )
Apache PDFBox is vulnerable to a denial of service, caused by an error while loading a file. By persuading a victim to open a specially-crafted PDF file, a remote attacker could exploit this vulnerability to cause the system to enter into an infinite loop.
Credit: security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Apache PDFBox | >=2.0.0<=2.0.23 | |
| Fedoraproject Fedora | =33 | |
| Fedoraproject Fedora | =34 | |
| Oracle Banking Corporate Lending Process Management | =14.2.0 | |
| Oracle Banking Corporate Lending Process Management | =14.3.0 | |
| Oracle Banking Corporate Lending Process Management | =14.5.0 | |
| Oracle Banking Credit Facilities Process Management | =14.2.0 | |
| Oracle Banking Credit Facilities Process Management | =14.3.0 | |
| Oracle Banking Credit Facilities Process Management | =14.5.0 | |
| Oracle Banking Supply Chain Finance | =14.2.0 | |
| Oracle Banking Supply Chain Finance | =14.3.0 | |
| Oracle Banking Supply Chain Finance | =14.5.0 | |
| Oracle Retail Customer Management and Segmentation Foundation | =18.1 | |
| Oracle Communications Messaging Server | =8.1 | |
| redhat/pdfbox | <2.0.24 | 2.0.24 |
| IBM Security Risk Manager on CP4S | <=CP4S 1.7.2.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2021-31812 https://nvd.nist.gov/vuln/detail/CVE-2021-31812
- https://bugzilla.redhat.com/show_bug.cgi?id=1971658
- https://access.redhat.com/errata/RHSA-2021:4918
- https://access.redhat.com/security/cve/cve-2021-31812
- http://www.openwall.com/lists/oss-security/2021/06/12/1
- https://lists.apache.org/thread.html/r132e9dbbe0ebdc08b39583d8be0a575fdba573d60a42d940228bceff@%3Cnotifications.ofbiz.apache.org%3E
- https://lists.apache.org/thread.html/r143fd8445e0e778f4a85187bd79438630b96b8040e9401751fdb8aea@%3Ccommits.ofbiz.apache.org%3E
- https://lists.apache.org/thread.html/r179cc3b6822c167702ab35fe36093d5da4c99af44238c8a754c6860f@%3Ccommits.ofbiz.apache.org%3E
- https://lists.apache.org/thread.html/r2090789e4dcc2c87aacbd87d5f18e2d64dcb9f6eb7c47f5cf7d293cb@%3Cnotifications.ofbiz.apache.org%3E
- https://lists.apache.org/thread.html/ra2ab0ce69ce8aaff0773b8c1036438387ce004c2afc6f066626e205e%40%3Cusers.pdfbox.apache.org%3E
- https://lists.apache.org/thread.html/ra2ab0ce69ce8aaff0773b8c1036438387ce004c2afc6f066626e205e@%3Cusers.pdfbox.apache.org%3E
- https://lists.apache.org/thread.html/rd4b6db6c3b8ab3c70f1c3bbd725a40920896453ffc2744ade6afd9fb@%3Cnotifications.ofbiz.apache.org%3E
- https://lists.apache.org/thread.html/re0cacd3fb337cdf8469853913ed2b4ddd8f8bfc52ff0ddbe61c1dfba@%3Ccommits.ofbiz.apache.org%3E
- https://lists.apache.org/thread.html/rf251f6c358087107f8c23473468b279d59d50a75db6b4768165c78d3@%3Cannounce.apache.org%3E
- https://lists.apache.org/thread.html/rfe26bcaba564deb505c32711ba68df7ec589797dcd96ff3389a8aaba@%3Cnotifications.ofbiz.apache.org%3E
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7HHWJRFXZ3PTKLJCOM7WJEYZFKFWMNSV/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MDJKJQOMVFDFIDS27OQJXNOYHV2O273D/
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://www.openwall.com/lists/oss-security/2021/06/12/1
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1971659
- https://access.redhat.com/support/policy/updates/jboss_notes
- https://github.com/apache/pdfbox/commit/cd17a19e9ab1028dc662e972dd8dbb3fa68b4a33
- https://lists.apache.org/thread.html/rf251f6c358087107f8c23473468b279d59d50a75db6b4768165c78d3%40%3Cannounce.apache.org%3E
- https://lists.apache.org/thread.html/rfe26bcaba564deb505c32711ba68df7ec589797dcd96ff3389a8aaba%40%3Cnotifications.ofbiz.apache.org%3E
- https://lists.apache.org/thread.html/rd4b6db6c3b8ab3c70f1c3bbd725a40920896453ffc2744ade6afd9fb%40%3Cnotifications.ofbiz.apache.org%3E
- https://lists.apache.org/thread.html/r143fd8445e0e778f4a85187bd79438630b96b8040e9401751fdb8aea%40%3Ccommits.ofbiz.apache.org%3E
- https://lists.apache.org/thread.html/r179cc3b6822c167702ab35fe36093d5da4c99af44238c8a754c6860f%40%3Ccommits.ofbiz.apache.org%3E
- https://lists.apache.org/thread.html/r2090789e4dcc2c87aacbd87d5f18e2d64dcb9f6eb7c47f5cf7d293cb%40%3Cnotifications.ofbiz.apache.org%3E
- https://lists.apache.org/thread.html/r132e9dbbe0ebdc08b39583d8be0a575fdba573d60a42d940228bceff%40%3Cnotifications.ofbiz.apache.org%3E
- https://lists.apache.org/thread.html/re0cacd3fb337cdf8469853913ed2b4ddd8f8bfc52ff0ddbe61c1dfba%40%3Ccommits.ofbiz.apache.org%3E
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7HHWJRFXZ3PTKLJCOM7WJEYZFKFWMNSV/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MDJKJQOMVFDFIDS27OQJXNOYHV2O273D/
- https://exchange.xforce.ibmcloud.com/vulnerabilities/203587
- https://www.ibm.com/support/pages/node/6505281 (Advisory)
Frequently Asked Questions
What is CVE-2021-31812?
CVE-2021-31812 is a vulnerability in Apache PDFBox that can trigger an infinite loop while loading a PDF file.
How does CVE-2021-31812 affect Apache PDFBox?
CVE-2021-31812 affects Apache PDFBox by causing a denial of service due to an error while loading a specially-crafted PDF file.
What is the severity of CVE-2021-31812?
CVE-2021-31812 has a severity rating of medium with a CVSS score of 5.5.
How can CVE-2021-31812 be exploited?
CVE-2021-31812 can be exploited by persuading a victim to open a specially-crafted PDF file, which will cause the system to enter into an infinite loop.
How can I fix CVE-2021-31812 in Apache PDFBox?
To fix CVE-2021-31812 in Apache PDFBox, update to version 2.0.24 or later.
- collector/redhat-cve
- collector/nvd-index
- agent/remedy
- agent/first-publish-date
- agent/type
- agent/weakness
- agent/softwarecombine
- agent/author
- agent/severity
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2021-31812
- agent/software-canonical-lookup
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/title
- agent/references
- agent/last-modified-date
- agent/event
- agent/tags
- collector/ibm-support
- source/IBM
- vendor/apache
- canonical/apache pdfbox
- version/apache pdfbox/2.0.0
- version/apache pdfbox/2.0.23
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/33
- version/fedoraproject fedora/34
- vendor/oracle
- canonical/oracle banking corporate lending process management
- version/oracle banking corporate lending process management/14.2.0
- version/oracle banking corporate lending process management/14.3.0
- version/oracle banking corporate lending process management/14.5.0
- canonical/oracle banking credit facilities process management
- version/oracle banking credit facilities process management/14.2.0
- version/oracle banking credit facilities process management/14.3.0
- version/oracle banking credit facilities process management/14.5.0
- canonical/oracle banking supply chain finance
- version/oracle banking supply chain finance/14.2.0
- version/oracle banking supply chain finance/14.3.0
- version/oracle banking supply chain finance/14.5.0
- canonical/oracle retail customer management and segmentation foundation
- version/oracle retail customer management and segmentation foundation/18.1
- canonical/oracle communications messaging server
- version/oracle communications messaging server/8.1
- package-manager/redhat
- vendor/ibm
- canonical/ibm security risk manager on cp4s
- version/ibm security risk manager on cp4s/cp4s 1.7.2.0