CVE-2018-11797: In Apache PDFBox a carefully crafted PDF file can trigger an extremely long running computation
5.5
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.77066%
CWE
Published
10/17/2018
Updated
2/1/2023
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
org.apache.pdfbox:pdfbox | maven | >= 1.8.0, < 1.8.16 | 1.8.16 |
org.apache.pdfbox:pdfbox | maven | >= 2.0.0, < 2.0.12 | 2.0.12 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability centers on uncontrolled resource consumption during page tree parsing. Analysis of PDFBox
architecture indicates PDPageTree
handles page hierarchy traversal. The getKids()
and getPages()
methods are core to recursive page tree processing, and would be involved in cyclic or excessively deep page tree traversal. While exact patch details are unavailable, the Fedora
patch notes and CWE-400
classification suggest these tree-walking functions lacked proper cycle detection or depth limits. These functions would appear in profiler data during exploitation as the parser gets stuck processing malicious page tree structures.