Vulnerability Details : CVE-2021-27906
A carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.22 and prior 2.0.x versions.
Products affected by CVE-2021-27906
- cpe:2.3:a:apache:pdfbox:*:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:outside_in_technology:8.5.5:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:webcenter_sites:12.2.1.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:webcenter_sites:12.2.1.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:retail_xstore_point_of_service:16.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:retail_xstore_point_of_service:17.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:retail_xstore_point_of_service:18.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:retail_xstore_point_of_service:19.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:retail_xstore_point_of_service:20.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:hyperion_financial_reporting:11.1.2.4:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:hyperion_financial_reporting:11.2.6.0:*:*:*:*:*:*:*
- cpe:2.3:o:oracle:communications_messaging_server:8.1:*:*:*:*:*:*:*
- Oracle » Flexcube Universal BankingVersions from including (>=) 14.0.0 and up to, including, (<=) 14.3.0cpe:2.3:a:oracle:flexcube_universal_banking:*:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:flexcube_universal_banking:14.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:primavera_unifier:19.12:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:primavera_unifier:20.12:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:19.0:*:*:*:*:*:*:*
- Oracle » Communications Session Report ManagerVersions from including (>=) 8.0.0 and up to, including, (<=) 8.2.4.0cpe:2.3:a:oracle:communications_session_report_manager:*:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:banking_supply_chain_finance:14.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:banking_supply_chain_finance:14.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:banking_supply_chain_finance:14.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:banking_trade_finance_process_management:14.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:banking_trade_finance_process_management:14.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:banking_trade_finance_process_management:14.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:banking_virtual_account_management:14.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:banking_virtual_account_management:14.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:banking_virtual_account_management:14.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:hyperion_infrastructure_technology:*:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:banking_treasury_management:14.5:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2021-27906
0.11%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 45 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-27906
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:N/I:N/A:P |
8.6
|
2.9
|
NIST | |
5.5
|
MEDIUM | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H |
1.8
|
3.6
|
NIST |
CWE ids for CVE-2021-27906
-
The product allocates memory based on an untrusted, large size value, but it does not ensure that the size is within expected limits, allowing arbitrary amounts of memory to be allocated.Assigned by: security@apache.org (Secondary)
References for CVE-2021-27906
-
https://lists.apache.org/thread.html/r4cbc3f6981cd0a1a482531df9d44e4c42a7f63342a7ba78b7bff8a1b@%3Cnotifications.james.apache.org%3E
[GitHub] [james-project] chibenwa opened a new pull request #414: [UPGRADE] Adopt Apache Tika 1.26 - Pony MailMailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/r6e067a6d83ccb6892d0ff867bd216704f21fb0b6a854dea34be04f12@%3Cnotifications.ofbiz.apache.org%3E
[jira] [Updated] (OFBIZ-12205) Upgrade Apache PDFBox to 2.0.23 because of CVE-2021-27807 and CVE-2021-27906 - Pony MailMailing List;Vendor Advisory
-
https://www.oracle.com/security-alerts/cpuapr2022.html
Oracle Critical Patch Update Advisory - April 2022Third Party Advisory
-
https://www.oracle.com//security-alerts/cpujul2021.html
Oracle Critical Patch Update Advisory - July 2021Patch;Third Party Advisory
-
https://lists.apache.org/thread.html/rdf78aef4793362e778e21e34328b0456e302bde4b7e74f229df0ee04@%3Cannounce.apache.org%3E
CVE-2021-27906: Apache PDFBox: a carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file - Pony MailMailing List;Vendor Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6KDA2U4KL2N3XT3PM4ZJEBBA6JJIH2G4/
[SECURITY] Fedora 33 Update: pdfbox-2.0.23-1.fc33 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://lists.apache.org/thread.html/rc69140d894c6a9c67a8097a25656cce59b46a5620c354ceba10543c3@%3Cnotifications.ofbiz.apache.org%3E
[jira] [Updated] (OFBIZ-12205) Upgrade Apache PDFBox to 2.0.23 because of CVE-2021-27807 and CVE-2021-27906 - Pony MailMailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/raa35746227f3f8d50fff1db9899524423a718f6f35cd39bd4769fa6c@%3Cnotifications.ofbiz.apache.org%3E
[jira] [Closed] (OFBIZ-12205) Upgrade Apache PDFBox to 2.0.23 because of CVE-2021-27807 and CVE-2021-27906 - Pony MailMailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/r64982b768c8a2220b07aaf813bd099a9863de0d13eb212fd4efe208f@%3Cusers.pdfbox.apache.org%3E
CVE-2021-27906: Apache PDFBox: a carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file - Pony MailMailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/r5c8e2125d18af184c80f7a986fbe47eaf0d30457cd450133adc235ac@%3Ccommits.ofbiz.apache.org%3E
[ofbiz-framework] branch release18.12 updated: Fixed: Upgrade Apache PDFBox to 2.0.23 because of CVE-2021-27807 and CVE-2021-27906 (OFBIZ-12205) - Pony MailMailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/rf35026148ccc0e1af133501c0d003d052883fcc65107b3ff5d3b61cd%40%3Cusers.pdfbox.apache.org%3E
CVE-2021-27906: A carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file - Pony MailMailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/r7ee634c21816c69ce829d0c41f35afa2a53a99bdd3c7cce8644fdc0e@%3Cnotifications.ofbiz.apache.org%3E
Pony Mail!Mailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/r1d268642f8b52456ee8f876b888b8ed7a9e9568c7770789f3ded7f9e@%3Ccommits.ofbiz.apache.org%3E
Pony Mail!Mailing List;Vendor Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PT72QOFDXLJ7PLTN66EMG5EHPTE7TFZ/
[SECURITY] Fedora 34 Update: pdfbox-2.0.23-1.fc34 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
http://www.openwall.com/lists/oss-security/2021/03/19/10
oss-security - CVE-2021-27906: Apache PDFBox: A carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the fileMailing List;Vendor Advisory
-
https://www.oracle.com/security-alerts/cpuoct2021.html
Oracle Critical Patch Update Advisory - October 2021Patch;Third Party Advisory
-
https://lists.apache.org/thread.html/rf35026148ccc0e1af133501c0d003d052883fcc65107b3ff5d3b61cd@%3Cusers.pdfbox.apache.org%3E
CVE-2021-27906: A carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file - Pony MailMailing List;Vendor Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2AVLKAHFMPH72TTP25INPZPGX5FODK3H/
[SECURITY] Fedora 32 Update: pdfbox-2.0.23-1.fc32 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://lists.apache.org/thread.html/r9ffe179385637b0b5cbdabd0246118005b4b8232909d2d14cd68ccd3@%3Ccommits.ofbiz.apache.org%3E
[ofbiz-framework] branch release17.12 updated: Fixed: Upgrade Apache PDFBox to 2.0.23 because of CVE-2021-27807 and CVE-2021-27906 (OFBIZ-12205) - Pony MailMailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/re1e35881482e07dc2be6058d9b44483457f36133cac67956686ad9b9@%3Cnotifications.ofbiz.apache.org%3E
[jira] [Commented] (OFBIZ-12205) Upgrade Apache PDFBox to 2.0.23 because of CVE-2021-27807 and CVE-2021-27906 - Pony MailMailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/r1218e60c32829f76943ecaca79237120c2ec1ab266459d711a578b50@%3Cdev.pdfbox.apache.org%3E
OSS-Fuzz integration - Pony MailMailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/r54594251369e14c185da9662a5340a52afbbdf75d61c9c3a69c8f2e8@%3Cdev.pdfbox.apache.org%3E
CVE's - Pony MailMailing List;Vendor Advisory
Jump to