SB2019090104 - Fedora 30 update for pdfbox
Published: September 1, 2019 Updated: April 25, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 secuirty vulnerabilities.
1) Infinite loop (CVE-ID: CVE-2018-8036)
The vulnerability allows a remote attacker to cause DoS condition on the target system.The weakness exists due to infinite loop when handling malicious input. A remote attacker can supple specially crafted (or fuzzed) file, trigger out of memory exception and cause the service to crash.
2) Infinite loop (CVE-ID: CVE-2018-11797)
The vulnerability vulnerability allows an unauthenticated, remote attacker to cause a denial of service (DoS) condition on a target system.
The vulnerability exists in the Apache PDFBox parser due to improper processing of PDF files when parsing the page tree. A remote attacker can trick the victim into opening a PDF file that submits malicious input to the targeted system, trigger an infinite loop condition, which could lead to an out-of-memory exception and result in a DoS condition.
3) XML External Entity injection (CVE-ID: CVE-2019-0228)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to insufficient validation of user-supplied XML input. A remote attacker can pass a specially crafted XFDF file to the affected application and view contents of arbitrary files on the system or initiate requests to external systems.
Successful exploitation of the vulnerability may allow an attacker to view contents of arbitrary file on the server or perform network scanning of internal and external infrastructure.
Remediation
Install update from vendor's website.