[ 
https://issues.apache.org/jira/browse/FOP-2812?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Deodatta Marathe updated FOP-2812:
----------------------------------
    Description: 
Description from CVE
In Apache PDFBox 1.8.0 to 1.8.14 and 2.0.0RC1 to 2.0.10, a carefully crafted 
(or fuzzed) file can trigger an infinite loop which leads to an out of memory 
exception in Apache PDFBox's AFMParser.
Explanation
The Apache PDFBox is vulnerable to Uncontrolled Resource Consumption ('Resource 
Exhaustion'). A successful exploit could trigger an infinite loop scenario that 
may lead to an out-of-memory exception in the AFMParser component, resulting in 
a DoS condition.

Detection
The application is vulnerable by using this component.

Recommendation
We recommend upgrading to a version of this component that is not vulnerable to 
this specific issue.

Categories
Data

Root Cause
AFMParser.class : [2.0.0-RC1, 2.0.11)

> pdfbox fontbox 2.0.8 has security vulnerability CVE-2018-8036 and should be 
> upgraded to 2.0.11
> ----------------------------------------------------------------------------------------------
>
>                 Key: FOP-2812
>                 URL: https://issues.apache.org/jira/browse/FOP-2812
>             Project: FOP
>          Issue Type: Bug
>          Components: unqualified
>    Affects Versions: 2.3
>            Reporter: Deodatta Marathe
>            Priority: Major
>
> Description from CVE
> In Apache PDFBox 1.8.0 to 1.8.14 and 2.0.0RC1 to 2.0.10, a carefully crafted 
> (or fuzzed) file can trigger an infinite loop which leads to an out of memory 
> exception in Apache PDFBox's AFMParser.
> Explanation
> The Apache PDFBox is vulnerable to Uncontrolled Resource Consumption 
> ('Resource Exhaustion'). A successful exploit could trigger an infinite loop 
> scenario that may lead to an out-of-memory exception in the AFMParser 
> component, resulting in a DoS condition.
> Detection
> The application is vulnerable by using this component.
> Recommendation
> We recommend upgrading to a version of this component that is not vulnerable 
> to this specific issue.
> Categories
> Data
> Root Cause
> AFMParser.class : [2.0.0-RC1, 2.0.11)



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to