[jira] [Commented] (FOP-2812) pdfbox fontbox 2.0.8 has security vulnerability CVE-2018-8036 and should be upgraded to 2.0.11
[
https://issues.apache.org/jira/browse/FOP-2812?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16596325#comment-16596325
]
simon steiner commented on FOP-2812:
Depends on https://issues.apache.org/jira/browse/PDFBOX-4303
> pdfbox fontbox 2.0.8 has security vulnerability CVE-2018-8036 and should be
> upgraded to 2.0.11
> --
>
> Key: FOP-2812
> URL: https://issues.apache.org/jira/browse/FOP-2812
> Project: FOP
> Issue Type: Bug
> Components: unqualified
>Affects Versions: 2.3
>Reporter: Deodatta Marathe
>Assignee: simon steiner
>Priority: Major
>
> Description from CVE
> In Apache PDFBox 1.8.0 to 1.8.14 and 2.0.0RC1 to 2.0.10, a carefully crafted
> (or fuzzed) file can trigger an infinite loop which leads to an out of memory
> exception in Apache PDFBox's AFMParser.
> Explanation
> The Apache PDFBox is vulnerable to Uncontrolled Resource Consumption
> ('Resource Exhaustion'). A successful exploit could trigger an infinite loop
> scenario that may lead to an out-of-memory exception in the AFMParser
> component, resulting in a DoS condition.
> Detection
> The application is vulnerable by using this component.
> Recommendation
> We recommend upgrading to a version of this component that is not vulnerable
> to this specific issue.
> Categories
> Data
> Root Cause
> AFMParser.class : [2.0.0-RC1, 2.0.11)
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (FOP-2812) pdfbox fontbox 2.0.8 has security vulnerability CVE-2018-8036 and should be upgraded to 2.0.11
[
https://issues.apache.org/jira/browse/FOP-2812?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16596074#comment-16596074
]
Deodatta Marathe commented on FOP-2812:
---
Latest fop version uses vulnerable pdfbox fontbox dependency. Please update the
same with fixed pdfbox fontbox version 2.0.11. refer
https://mvnrepository.com/artifact/org.apache.xmlgraphics/fop/2.3
> pdfbox fontbox 2.0.8 has security vulnerability CVE-2018-8036 and should be
> upgraded to 2.0.11
> --
>
> Key: FOP-2812
> URL: https://issues.apache.org/jira/browse/FOP-2812
> Project: FOP
> Issue Type: Bug
> Components: unqualified
>Affects Versions: 2.3
>Reporter: Deodatta Marathe
>Priority: Major
>
> Description from CVE
> In Apache PDFBox 1.8.0 to 1.8.14 and 2.0.0RC1 to 2.0.10, a carefully crafted
> (or fuzzed) file can trigger an infinite loop which leads to an out of memory
> exception in Apache PDFBox's AFMParser.
> Explanation
> The Apache PDFBox is vulnerable to Uncontrolled Resource Consumption
> ('Resource Exhaustion'). A successful exploit could trigger an infinite loop
> scenario that may lead to an out-of-memory exception in the AFMParser
> component, resulting in a DoS condition.
> Detection
> The application is vulnerable by using this component.
> Recommendation
> We recommend upgrading to a version of this component that is not vulnerable
> to this specific issue.
> Categories
> Data
> Root Cause
> AFMParser.class : [2.0.0-RC1, 2.0.11)
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
