Miggo Logo

CVE-2018-11797: In Apache PDFBox a carefully crafted PDF file can trigger an extremely long running computation

5.5

CVSS Score
3.1

Basic Information

EPSS Score
0.77066%
Published
10/17/2018
Updated
2/1/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.apache.pdfbox:pdfboxmaven>= 1.8.0, < 1.8.161.8.16
org.apache.pdfbox:pdfboxmaven>= 2.0.0, < 2.0.122.0.12

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability centers on uncontrolled resource consumption during page tree parsing. Analysis of PDFBox architecture indicates PDPageTree handles page hierarchy traversal. The getKids() and getPages() methods are core to recursive page tree processing, and would be involved in cyclic or excessively deep page tree traversal. While exact patch details are unavailable, the Fedora patch notes and CWE-400 classification suggest these tree-walking functions lacked proper cycle detection or depth limits. These functions would appear in profiler data during exploitation as the parser gets stuck processing malicious page tree structures.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

In *p**** P***ox *.*.* to *.*.** *n* *.*.*R** to *.*.**, * **r**ully *r**t** P** *il* **n tri***r *n *xtr*m*ly lon* runnin* *omput*tion w**n p*rsin* t** p*** tr**.

Reasoning

T** vuln*r**ility **nt*rs on un*ontroll** r*sour** *onsumption *urin* p*** tr** p*rsin*. *n*lysis o* `P***ox` *r**it**tur* in*i**t*s `P*P***Tr**` **n*l*s p*** *i*r*r**y tr*v*rs*l. T** `**tKi*s()` *n* `**tP***s()` m*t*o*s *r* *or* to r**ursiv* p*** tr