First published: Tue Oct 31 2023(Updated: )
### Impact An attacker who uses this vulnerability can craft a PDF which leads to an infinite loop. This infinite loop blocks the current process and can utilize a single core of the CPU by 100%. It does not affect memory usage. That is, for example, the case when the pypdf-user manipulates an incoming malicious PDF e.g. by merging it with another PDF or by adding annotations. ### Patches The issue was fixed with #2264 ### Workarounds If you cannot update your version of pypdf, you should modify `pypdf/generic/_data_structures.py` just like #2264 did.
Credit: security-advisories@github.com security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
pip/pypdf | >=3.7.0<3.17.0 | 3.17.0 |
Pypdf Project Pypdf | >=3.7.0<3.17.0 | |
>=3.7.0<3.17.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID of this vulnerability is CVE-2023-46250.
The title of this vulnerability is 'pypdf possible Infinite Loop when PdfWriter(clone_from) is used with a PDF'.
The severity of CVE-2023-46250 is medium with a CVSS score of 5.1.
CVE-2023-46250 affects the pypdf library versions 3.7.0 through 3.16.4.
To fix CVE-2023-46250, update the pypdf library to version 3.17.0 or newer.