Headline
CVE-2022-24859: Build software better, together
PyPDF2 is an open source python PDF library capable of splitting, merging, cropping, and transforming the pages of PDF files. In versions prior to 1.27.5 an attacker who uses this vulnerability can craft a PDF which leads to an infinite loop if the PyPDF2 if the code attempts to get the content stream. The reason is that the last while-loop in ContentStream._readInlineImage only terminates when it finds the EI token, but never actually checks if the stream has already ended. This issue has been resolved in version 1.27.5. Users unable to upgrade should validate and PDFs prior to iterating over their content stream.
Package
pip PyPDF2 ( pip )
Affected versions
<=1.27.4
Impact
An attacker who uses this vulnerability can craft a PDF which leads to an infinite loop if the PyPDF2 user wrote the following code:
from PyPDF2 import PdfFileReader, PdfFileWriter from PyPDF2.pdf import ContentStream
reader = PdfFileReader("malicious.pdf", strict=False) for page in reader.pages: ContentStream(page.getContents(), reader)
Patches
PyPDF2==1.27.5 and later are patched.
Credits to Sebastian Krause for finding (issue) and fixing (PR) it.
CVE ID
CVE-2022-24859
GHSA ID
GHSA-xcjx-m2pj-8g79
CVSS Score
6.2 Moderate
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Related news
fleetdm/fleet is an open source device management, built on osquery. All versions of fleet making use of the teams feature are affected by this authorization bypass issue. Fleet instances without teams, or with teams but without restricted team accounts are not affected. In affected versions a team admin can erroneously add themselves as admin, maintainer or observer on other teams. Users are advised to upgrade to version 4.13. There are no known workarounds for this issue.
The sanitisation step of the Safe SVG WordPress plugin before 1.9.10 can be bypassed by spoofing the content-type in the POST request to upload a file. Exploiting this vulnerability, an attacker will be able to perform the kinds of attacks that this plugin should prevent (mainly XSS, but depending on further use of uploaded SVG files potentially other XML attacks).
A flaw was found in cri-o, where containers were incorrectly started with non-empty default permissions. A vulnerability was found in Moby (Docker Engine) where containers started incorrectly with non-empty inheritable Linux process capabilities. This flaw allows an attacker with access to programs with inheritable file capabilities to elevate those capabilities to the permitted set when execve(2) runs.