Vulnerability Details : CVE-2023-28428
PDFio is a C library for reading and writing PDF files. In versions 1.1.0 and prior, a denial of service vulnerability exists in the pdfio parser. Crafted pdf files can cause the program to run at 100% utilization and never terminate. This is different from CVE-2023-24808. A patch for this issue is available in version 1.1.1.
Vulnerability category: Denial of service
Products affected by CVE-2023-28428
- cpe:2.3:a:pdfio_project:pdfio:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-28428
0.04%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 12 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-28428
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
3.3
|
LOW | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L |
1.8
|
1.4
|
NIST | |
|
6.2
|
MEDIUM | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
2.5
|
3.6
|
GitHub, Inc. |
CWE ids for CVE-2023-28428
-
The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.Assigned by: security-advisories@github.com (Primary)
References for CVE-2023-28428
-
https://github.com/michaelrsweet/pdfio/commit/97d4955666779dc5b0665e15dd951a5c12426a31
Fix potential denial-of-service in flate stream code. · michaelrsweet/pdfio@97d4955 · GitHubPatch
-
https://github.com/michaelrsweet/pdfio/security/advisories/GHSA-68x8-9phf-j7jf
Denial Of Service when opening a corrupt PDF file · Advisory · michaelrsweet/pdfio · GitHubVendor Advisory
Jump to