CVE-2021-27807

A carefully crafted PDF file can trigger an infinite loop while loading the file

Severity Score

5.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

A carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox version 2.0.22 and prior 2.0.x versions.

Un archivo PDF cuidadosamente diseñado puede desencadenar un bucle infinito mientras se carga el archivo. Este problema afecta a Apache PDFBox versión 2.0.22 y versiones anteriores 2.0.x

*Credits: Apache PDFBox would like to thank Fabian Meumertzheim for reporting this issue

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

None

Integrity

None

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2021-02-28 CVE Reserved
2021-03-19 CVE Published
2024-05-20 EPSS Updated
2024-08-03 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-834: Excessive Iteration
CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop')

CAPEC

References (23)

URL	Tag	Source
https://lists.apache.org/thread.html/r043edc5dcf9199f7f882ed7906b41cb816753766e88b8792dbf319a9%40%3Cannounce.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r1218e60c32829f76943ecaca79237120c2ec1ab266459d711a578b50%40%3Cdev.pdfbox.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r1d268642f8b52456ee8f876b888b8ed7a9e9568c7770789f3ded7f9e%40%3Ccommits.ofbiz.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r4717f902f8bc36d47b3fa978552a25e4ed3ddc2fffb52b94fbc4ab36%40%3Cusers.pdfbox.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r4cbc3f6981cd0a1a482531df9d44e4c42a7f63342a7ba78b7bff8a1b%40%3Cnotifications.james.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r54594251369e14c185da9662a5340a52afbbdf75d61c9c3a69c8f2e8%40%3Cdev.pdfbox.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r5c8e2125d18af184c80f7a986fbe47eaf0d30457cd450133adc235ac%40%3Ccommits.ofbiz.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r6e067a6d83ccb6892d0ff867bd216704f21fb0b6a854dea34be04f12%40%3Cnotifications.ofbiz.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r7ee634c21816c69ce829d0c41f35afa2a53a99bdd3c7cce8644fdc0e%40%3Cnotifications.ofbiz.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r9ffe179385637b0b5cbdabd0246118005b4b8232909d2d14cd68ccd3%40%3Ccommits.ofbiz.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/raa35746227f3f8d50fff1db9899524423a718f6f35cd39bd4769fa6c%40%3Cnotifications.ofbiz.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/rc69140d894c6a9c67a8097a25656cce59b46a5620c354ceba10543c3%40%3Cnotifications.ofbiz.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/re1e35881482e07dc2be6058d9b44483457f36133cac67956686ad9b9%40%3Cnotifications.ofbiz.apache.org%3E	Mailing List
https://www.oracle.com/security-alerts/cpuapr2022.html	Third Party Advisory

URL	Date	SRC

URL	Date	SRC
https://www.oracle.com//security-alerts/cpujul2021.html	2023-11-07
https://www.oracle.com/security-alerts/cpuoct2021.html	2023-11-07

URL	Date	SRC
http://www.openwall.com/lists/oss-security/2021/03/19/9	2023-11-07
https://lists.apache.org/thread.html/r818058ff1e4b9f6bef4e5a2e74faff38cb3d3885c1e2db398bc55cfb%40%3Cusers.pdfbox.apache.org%3E	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2AVLKAHFMPH72TTP25INPZPGX5FODK3H	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6KDA2U4KL2N3XT3PM4ZJEBBA6JJIH2G4	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6PT72QOFDXLJ7PLTN66EMG5EHPTE7TFZ	2023-11-07
https://access.redhat.com/security/cve/CVE-2021-27807	2021-08-18
https://bugzilla.redhat.com/show_bug.cgi?id=1941055	2021-08-18

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Apache Search vendor "Apache"		Pdfbox Search vendor "Apache" for product "Pdfbox"				>= 2.0.0 <= 2.0.22 Search vendor "Apache" for product "Pdfbox" and version " >= 2.0.0 <= 2.0.22"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				32 Search vendor "Fedoraproject" for product "Fedora" and version "32"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				33 Search vendor "Fedoraproject" for product "Fedora" and version "33"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				34 Search vendor "Fedoraproject" for product "Fedora" and version "34"		-		Affected
Oracle Search vendor "Oracle"		Banking Trade Finance Process Management Search vendor "Oracle" for product "Banking Trade Finance Process Management"				14.2.0 Search vendor "Oracle" for product "Banking Trade Finance Process Management" and version "14.2.0"		-		Affected
Oracle Search vendor "Oracle"		Banking Trade Finance Process Management Search vendor "Oracle" for product "Banking Trade Finance Process Management"				14.3.0 Search vendor "Oracle" for product "Banking Trade Finance Process Management" and version "14.3.0"		-		Affected
Oracle Search vendor "Oracle"		Banking Trade Finance Process Management Search vendor "Oracle" for product "Banking Trade Finance Process Management"				14.5.0 Search vendor "Oracle" for product "Banking Trade Finance Process Management" and version "14.5.0"		-		Affected
Oracle Search vendor "Oracle"		Banking Treasury Management Search vendor "Oracle" for product "Banking Treasury Management"				14.5 Search vendor "Oracle" for product "Banking Treasury Management" and version "14.5"		-		Affected
Oracle Search vendor "Oracle"		Banking Virtual Account Management Search vendor "Oracle" for product "Banking Virtual Account Management"				14.2.0 Search vendor "Oracle" for product "Banking Virtual Account Management" and version "14.2.0"		-		Affected
Oracle Search vendor "Oracle"		Banking Virtual Account Management Search vendor "Oracle" for product "Banking Virtual Account Management"				14.3.0 Search vendor "Oracle" for product "Banking Virtual Account Management" and version "14.3.0"		-		Affected
Oracle Search vendor "Oracle"		Banking Virtual Account Management Search vendor "Oracle" for product "Banking Virtual Account Management"				14.5.0 Search vendor "Oracle" for product "Banking Virtual Account Management" and version "14.5.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Session Report Manager Search vendor "Oracle" for product "Communications Session Report Manager"				>= 8.0.0 <= 8.2.4.0 Search vendor "Oracle" for product "Communications Session Report Manager" and version " >= 8.0.0 <= 8.2.4.0"		-		Affected
Oracle Search vendor "Oracle"		Flexcube Universal Banking Search vendor "Oracle" for product "Flexcube Universal Banking"				>= 14.0.0 <= 14.3.0 Search vendor "Oracle" for product "Flexcube Universal Banking" and version " >= 14.0.0 <= 14.3.0"		-		Affected
Oracle Search vendor "Oracle"		Flexcube Universal Banking Search vendor "Oracle" for product "Flexcube Universal Banking"				14.5.0 Search vendor "Oracle" for product "Flexcube Universal Banking" and version "14.5.0"		-		Affected
Oracle Search vendor "Oracle"		Hyperion Financial Reporting Search vendor "Oracle" for product "Hyperion Financial Reporting"				11.1.2.4 Search vendor "Oracle" for product "Hyperion Financial Reporting" and version "11.1.2.4"		-		Affected
Oracle Search vendor "Oracle"		Hyperion Financial Reporting Search vendor "Oracle" for product "Hyperion Financial Reporting"				11.2.6.0 Search vendor "Oracle" for product "Hyperion Financial Reporting" and version "11.2.6.0"		-		Affected
Oracle Search vendor "Oracle"		Hyperion Infrastructure Technology Search vendor "Oracle" for product "Hyperion Infrastructure Technology"				< 11.2.8.0 Search vendor "Oracle" for product "Hyperion Infrastructure Technology" and version " < 11.2.8.0"		-		Affected
Oracle Search vendor "Oracle"		Outside In Technology Search vendor "Oracle" for product "Outside In Technology"				8.5.5 Search vendor "Oracle" for product "Outside In Technology" and version "8.5.5"		-		Affected
Oracle Search vendor "Oracle"		Primavera Unifier Search vendor "Oracle" for product "Primavera Unifier"				>= 17.7 <= 17.12 Search vendor "Oracle" for product "Primavera Unifier" and version " >= 17.7 <= 17.12"		-		Affected
Oracle Search vendor "Oracle"		Primavera Unifier Search vendor "Oracle" for product "Primavera Unifier"				18.8 Search vendor "Oracle" for product "Primavera Unifier" and version "18.8"		-		Affected
Oracle Search vendor "Oracle"		Primavera Unifier Search vendor "Oracle" for product "Primavera Unifier"				19.12 Search vendor "Oracle" for product "Primavera Unifier" and version "19.12"		-		Affected
Oracle Search vendor "Oracle"		Primavera Unifier Search vendor "Oracle" for product "Primavera Unifier"				20.12 Search vendor "Oracle" for product "Primavera Unifier" and version "20.12"		-		Affected
Oracle Search vendor "Oracle"		Retail Customer Management And Segmentation Foundation Search vendor "Oracle" for product "Retail Customer Management And Segmentation Foundation"				19.0 Search vendor "Oracle" for product "Retail Customer Management And Segmentation Foundation" and version "19.0"		-		Affected
Oracle Search vendor "Oracle"		Retail Xstore Point Of Service Search vendor "Oracle" for product "Retail Xstore Point Of Service"				16.0.6 Search vendor "Oracle" for product "Retail Xstore Point Of Service" and version "16.0.6"		-		Affected
Oracle Search vendor "Oracle"		Retail Xstore Point Of Service Search vendor "Oracle" for product "Retail Xstore Point Of Service"				17.0.4 Search vendor "Oracle" for product "Retail Xstore Point Of Service" and version "17.0.4"		-		Affected
Oracle Search vendor "Oracle"		Retail Xstore Point Of Service Search vendor "Oracle" for product "Retail Xstore Point Of Service"				18.0.3 Search vendor "Oracle" for product "Retail Xstore Point Of Service" and version "18.0.3"		-		Affected
Oracle Search vendor "Oracle"		Retail Xstore Point Of Service Search vendor "Oracle" for product "Retail Xstore Point Of Service"				19.0.2 Search vendor "Oracle" for product "Retail Xstore Point Of Service" and version "19.0.2"		-		Affected
Oracle Search vendor "Oracle"		Retail Xstore Point Of Service Search vendor "Oracle" for product "Retail Xstore Point Of Service"				20.0.1 Search vendor "Oracle" for product "Retail Xstore Point Of Service" and version "20.0.1"		-		Affected
Oracle Search vendor "Oracle"		Webcenter Sites Search vendor "Oracle" for product "Webcenter Sites"				12.2.1.3.0 Search vendor "Oracle" for product "Webcenter Sites" and version "12.2.1.3.0"		-		Affected
Oracle Search vendor "Oracle"		Webcenter Sites Search vendor "Oracle" for product "Webcenter Sites"				12.2.1.4.0 Search vendor "Oracle" for product "Webcenter Sites" and version "12.2.1.4.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Messaging Server Search vendor "Oracle" for product "Communications Messaging Server"				8.1 Search vendor "Oracle" for product "Communications Messaging Server" and version "8.1"		-		Affected