CVE-2018-11797

EUVD-2018-0607
In Apache PDFBox 1.8.0 to 1.8.15 and 2.0.0RC1 to 2.0.11, a carefully crafted PDF file can trigger an extremely long running computation when parsing the page tree.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.5 MEDIUM
LOCAL
LOW
NONE
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 81%
Affected Products (NVD)
VendorProductVersion
apachepdfbox
1.8.0 ≤
𝑥
≤ 1.8.15
apachepdfbox
2.0.1 ≤
𝑥
≤ 2.0.11
apachepdfbox
2.0:rc1
apachepdfbox
2.0:rc2
apachepdfbox
2.0:rc3
apachepdfbox
2.0.0
oracleretail_xstore_point_of_service
17.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
libpdfbox-java
bookworm
1:1.8.16-2
fixed
bullseye
1:1.8.16-2
fixed
sid
1:1.8.16-5
fixed
stretch
no-dsa
trixie
1:1.8.16-5
fixed
libpdfbox2-java
bookworm
2.0.27-2
fixed
bullseye
2.0.23-1
fixed
sid
2.0.29-1
fixed
stretch
no-dsa
trixie
2.0.29-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
libpdfbox-java
bionic
Fixed 1:1.8.16-2~18.04
released
cosmic
Fixed 1:1.8.16-2~18.04
released
disco
not-affected
eoan
not-affected
focal
not-affected
groovy
not-affected
hirsute
not-affected
impish
not-affected
jammy
not-affected
kinetic
not-affected
lunar
not-affected
mantic
not-affected
noble
not-affected
trusty
dne
xenial
needed
libpdfbox2-java
bionic
Fixed 2.0.13-2~18.04
released
cosmic
Fixed 2.0.13-2~18.04
released
disco
not-affected
eoan
not-affected
focal
not-affected
groovy
not-affected
hirsute
not-affected
impish
not-affected
jammy
not-affected
kinetic
not-affected
lunar
not-affected
mantic
not-affected
noble
not-affected
trusty
dne
xenial
dne
References
https://lists.apache.org/thread.html/645574bc50b886d39c20b4065d51ccb1cd5d3a6b4750a22edbb565eb%40%3Cannounce.apache.org%3E
https://lists.apache.org/thread.html/a9760973a873522f4d4c0a99916ceb74f361d91006b663a0a418d34a%40%3Cannounce.apache.org%3E
https://lists.apache.org/thread.html/r54594251369e14c185da9662a5340a52afbbdf75d61c9c3a69c8f2e8%40%3Cdev.pdfbox.apache.org%3E
https://lists.debian.org/debian-lts-announce/2018/10/msg00008.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6HKVPTJWZGUB4MH4AAOWMRJHRDBYFHGJ/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/POPOGHJ5CVMUVCRQU7APBAN5IVZGZFDX/
https://www.oracle.com/security-alerts/cpuapr2020.html
https://lists.apache.org/thread.html/645574bc50b886d39c20b4065d51ccb1cd5d3a6b4750a22edbb565eb%40%3Cannounce.apache.org%3E
https://lists.apache.org/thread.html/a9760973a873522f4d4c0a99916ceb74f361d91006b663a0a418d34a%40%3Cannounce.apache.org%3E
https://lists.apache.org/thread.html/r54594251369e14c185da9662a5340a52afbbdf75d61c9c3a69c8f2e8%40%3Cdev.pdfbox.apache.org%3E
https://lists.debian.org/debian-lts-announce/2018/10/msg00008.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6HKVPTJWZGUB4MH4AAOWMRJHRDBYFHGJ/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/POPOGHJ5CVMUVCRQU7APBAN5IVZGZFDX/
https://www.oracle.com/security-alerts/cpuapr2020.html