Home > Vulnerability Database > CVE-2023-24808

Mend.io Vulnerability Database

CVE-2023-24808

Good to know:

Date: February 6, 2023

PDFio is a C library for reading and writing PDF files. In versions prior to 1.1.0 a denial of service (DOS) vulnerability exists in the pdfio parser. Crafted pdf files can cause the program to run at 100% utilization and never terminate. The pdf which causes this crash found in testing is about 28kb in size and was discovered via fuzzing. Anyone who uses this library either as a standalone binary or as a library can be DOSed when attempting to parse this type of file. Web servers or other automated processes which rely on this code to turn pdf submissions into plaintext can be DOSed when an attacker uploads the pdf. Please see the linked GHSA for an example pdf. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Language: C

Severity Score

6.5

Related Resources (5)

Url: https://github.com/michaelrsweet/pdfio/commit/4f10021e7ee527c1aa24853e2947e38e154d9ccb

Url: https://nvd.nist.gov/vuln/detail/CVE-2023-24808

Url: https://security-tracker.debian.org/tracker/CVE-2023-24808

Url: https://github.com/michaelrsweet/pdfio/security/advisories/GHSA-cjc4-x96x-fvgf

Url: https://www.mend.io/vulnerability-database/CVE-2023-24808

Severity Score

6.5

Weakness Type (CWE)

Loop with Unreachable Exit Condition ('Infinite Loop')

CWE-835

Top Fix

Upgrade Version

Upgrade to version v1.1.0

Learn More

CVSS v3.1

Base Score:	6.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	REQUIRED
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	NONE
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2023-24808

Good to know:

Date: February 6, 2023

Language: C

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?