Vulnerability Name:

CVE-2021-27807 (CCN-198451)

Assigned:2021-03-19
Published:2021-03-19
Updated:2022-09-03
Summary:A carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox version 2.0.22 and prior 2.0.x versions.
CVSS v3 Severity:5.5 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)
4.8 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): Required
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): High
5.5 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)
4.8 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): Required
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): High
CVSS v2 Severity:4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Partial
4.6 Medium (CCN CVSS v2 Vector: AV:L/AC:L/Au:S/C:N/I:N/A:C)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Low
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Complete
Vulnerability Type:CWE-834
Vulnerability Consequences:Denial of Service
References:Source: MITRE
Type: CNA
CVE-2021-27807

Source: MLIST
Type: Mailing List, Vendor Advisory
[oss-security] 20210319 CVE-2021-27807: Apache PDFBox: A carefully crafted PDF file can trigger an infinite loop while loading the file

Source: XF
Type: UNKNOWN
apache-cve202127807-dos(198451)

Source: MLIST
Type: Mailing List, Vendor Advisory
[announce] 20210320 CVE-2021-27807: Apache PDFBox: a carefully crafted PDF file can trigger an infinite loop while loading the file

Source: MLIST
Type: Mailing List, Vendor Advisory
[pdfbox-dev] 20210322 OSS-Fuzz integration

Source: MLIST
Type: Mailing List, Vendor Advisory
[ofbiz-commits] 20210321 [ofbiz-framework] branch trunk updated: Fixed: Upgrade Apache PDFBox to 2.0.23 because of CVE-2021-27807 and CVE-2021-27906 (OFBIZ-12205)

Source: MLIST
Type: Mailing List, Vendor Advisory
[pdfbox-users] 20210320 CVE-2021-27807: Apache PDFBox: a carefully crafted PDF file can trigger an infinite loop while loading the file

Source: MLIST
Type: Mailing List, Vendor Advisory
[james-notifications] 20210501 [GitHub] [james-project] chibenwa opened a new pull request #414: [UPGRADE] Adopt Apache Tika 1.26

Source: MLIST
Type: Mailing List, Vendor Advisory
[pdfbox-dev] 20210518 CVE's

Source: MLIST
Type: Mailing List, Vendor Advisory
[ofbiz-commits] 20210321 [ofbiz-framework] branch release18.12 updated: Fixed: Upgrade Apache PDFBox to 2.0.23 because of CVE-2021-27807 and CVE-2021-27906 (OFBIZ-12205)

Source: MLIST
Type: Mailing List, Vendor Advisory
[ofbiz-notifications] 20210405 [jira] [Updated] (OFBIZ-12205) Upgrade Apache PDFBox to 2.0.23 because of CVE-2021-27807 and CVE-2021-27906

Source: MLIST
Type: Mailing List, Vendor Advisory
[ofbiz-notifications] 20210321 [jira] [Created] (OFBIZ-12205) Upgrade Apache PDFBox to 2.0.23 because of CVE-2021-27807 and CVE-2021-27906

Source: CONFIRM
Type: Mailing List, Vendor Advisory
N/A

Source: MLIST
Type: Mailing List, Vendor Advisory
[pdfbox-users] 20210319 CVE-2021-27807: A carefully crafted PDF file can trigger an infinite loop while loading the file

Source: MLIST
Type: Mailing List, Vendor Advisory
[ofbiz-commits] 20210321 [ofbiz-framework] branch release17.12 updated: Fixed: Upgrade Apache PDFBox to 2.0.23 because of CVE-2021-27807 and CVE-2021-27906 (OFBIZ-12205)

Source: MLIST
Type: Mailing List, Vendor Advisory
[ofbiz-notifications] 20210321 [jira] [Closed] (OFBIZ-12205) Upgrade Apache PDFBox to 2.0.23 because of CVE-2021-27807 and CVE-2021-27906

Source: MLIST
Type: Mailing List, Vendor Advisory
[ofbiz-notifications] 20210321 [jira] [Updated] (OFBIZ-12205) Upgrade Apache PDFBox to 2.0.23 because of CVE-2021-27807 and CVE-2021-27906

Source: MLIST
Type: Mailing List, Vendor Advisory
[ofbiz-notifications] 20210321 [jira] [Commented] (OFBIZ-12205) Upgrade Apache PDFBox to 2.0.23 because of CVE-2021-27807 and CVE-2021-27906

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2021-dc83ae690a

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2021-8b17a2725e

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2021-93469e0030

Source: CCN
Type: Apache Web site
Apache PDFBox

Source: CCN
Type: oss-sec Mailing List, Fri, 19 Mar 2021 16:30:27 +0100
CVE-2021-27807: Apache PDFBox: A carefully crafted PDF file can trigger an infinite loop while loading the file

Source: CCN
Type: IBM Security Bulletin 6464813 (Watson Discovery)
IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in Apache PDFBox

Source: CCN
Type: IBM Security Bulletin 6467705 (DataQuant for z/OS)
IBM DataQuant Fix for (All) Apache PDF Box (Publicly disclosed vulnerability)

Source: CCN
Type: IBM Security Bulletin 6470215 (Watson Explorer Deep Analytics)
Watson Explorer is affected by Apache PDFBox vulnerabilities (CVE-2021-27807, CVE-2021-27906, CVE-2021-31811, CVE-2021-31812)

Source: CCN
Type: IBM Security Bulletin 6472495 (Compare and Comply)
IBM Watson Compare and Comply for IBM Cloud Pak for Data affected by vulnerability in Apache PDFBox

Source: CCN
Type: IBM Security Bulletin 6474845 (QRadar Incident Forensics)
Apache PDFBox as used by IBM QRadar Incident Forensics is vulnerable to denial of service (CVE-2021-27807, CVE-2021-27906)

Source: CCN
Type: IBM Security Bulletin 6505281 (Cloud Pak for Security)
IBM Security Risk Manager on CP4S is affected by multiple vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6520510 (Cognos Analytics)
IBM Cognos Analytics has addressed multiple vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6570915 (Data Risk Manager)
IBM Data Risk Manager is affected by multiple vulnerabilities including a remote code execution in Spring Framework (CVE-2022-22965)

Source: N/A
Type: Patch, Third Party Advisory
N/A

Source: MISC
Type: Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html

Source: CCN
Type: Oracle CPUJul2021
Oracle Critical Patch Update Advisory - July 2021

Source: CCN
Type: Oracle CPUOct2021
Oracle Critical Patch Update Advisory - October 2021

Source: MISC
Type: Patch, Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html

Vulnerable Configuration:Configuration 1:
  • cpe:/a:apache:pdfbox:*:*:*:*:*:*:*:* (Version >= 2.0.0 and <= 2.0.22)

    • Configuration 2:
  • cpe:/o:fedoraproject:fedora:32:*:*:*:*:*:*:*
  • OR cpe:/o:fedoraproject:fedora:33:*:*:*:*:*:*:*
  • OR cpe:/o:fedoraproject:fedora:34:*:*:*:*:*:*:*

    • Configuration 3:
  • cpe:/a:oracle:hyperion_financial_reporting:11.1.2.4:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:webcenter_sites:12.2.1.3.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:primavera_unifier:*:*:*:*:*:*:*:* (Version >= 17.7 and <= 17.12)
  • OR cpe:/a:oracle:flexcube_universal_banking:*:*:*:*:*:*:*:* (Version >= 14.0.0 and <= 14.3.0)
  • OR cpe:/a:oracle:outside_in_technology:8.5.5:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:primavera_unifier:19.12:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:webcenter_sites:12.2.1.4.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_customer_management_and_segmentation_foundation:19.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:primavera_unifier:20.12:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:banking_virtual_account_management:14.3.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:banking_trade_finance_process_management:14.3.0:*:*:*:*:*:*:*
  • OR cpe:/o:oracle:communications_messaging_server:8.1:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_xstore_point_of_service:16.0.6:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_xstore_point_of_service:17.0.4:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_xstore_point_of_service:18.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_xstore_point_of_service:19.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_xstore_point_of_service:20.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:hyperion_financial_reporting:11.2.6.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:banking_virtual_account_management:14.2.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:banking_virtual_account_management:14.5.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:banking_trade_finance_process_management:14.5.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:communications_session_report_manager:*:*:*:*:*:*:*:* (Version >= 8.0.0 and <= 8.2.4.0)
  • OR cpe:/a:oracle:banking_trade_finance_process_management:14.2.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:hyperion_infrastructure_technology:*:*:*:*:*:*:*:* (Version < 11.2.8.0)
  • OR cpe:/a:oracle:banking_treasury_management:14.5:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:flexcube_universal_banking:14.5.0:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:apache:pdfbox:2.0.21:*:*:*:*:*:*:*
  • AND
  • cpe:/a:ibm:watson_discovery:2.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:dataquant:2.1:*:*:*:z/os:*:*:*
  • OR cpe:/a:ibm:qradar_incident_forensics:7.3.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:watson_discovery:2.2.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_security:1.7.2.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cognos_analytics:11.2.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cognos_analytics:11.1.7:-:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:7990
    P
    		apache-pdfbox-2.0.23-150200.3.6.3 on GA media (Moderate)
    2023-06-20
    oval:org.opensuse.security:def:111946
    P
    		apache-pdfbox-2.0.23-1.3 on GA media (Moderate)
    2022-01-17
    oval:org.opensuse.security:def:105512
    P
    		apache-pdfbox-2.0.23-1.3 on GA media (Moderate)
    2021-10-01
    BACK
    apache pdfbox *
    fedoraproject fedora 32
    fedoraproject fedora 33
    fedoraproject fedora 34
    oracle hyperion financial reporting 11.1.2.4
    oracle webcenter sites 12.2.1.3.0
    oracle primavera unifier 18.8
    oracle primavera unifier *
    oracle flexcube universal banking *
    oracle outside in technology 8.5.5
    oracle primavera unifier 19.12
    oracle webcenter sites 12.2.1.4.0
    oracle retail customer management and segmentation foundation 19.0
    oracle primavera unifier 20.12
    oracle banking virtual account management 14.3.0
    oracle banking trade finance process management 14.3.0
    oracle communications messaging server 8.1
    oracle retail xstore point of service 16.0.6
    oracle retail xstore point of service 17.0.4
    oracle retail xstore point of service 18.0.3
    oracle retail xstore point of service 19.0.2
    oracle retail xstore point of service 20.0.1
    oracle hyperion financial reporting 11.2.6.0
    oracle banking virtual account management 14.2.0
    oracle banking virtual account management 14.5.0
    oracle banking trade finance process management 14.5.0
    oracle communications session report manager *
    oracle banking trade finance process management 14.2.0
    oracle hyperion infrastructure technology *
    oracle banking treasury management 14.5
    oracle flexcube universal banking 14.5.0
    apache pdfbox 2.0.21
    ibm watson discovery 2.0.0
    ibm dataquant 2.1
    ibm qradar incident forensics 7.3.0
    ibm watson discovery 2.2.1
    ibm cloud pak for security 1.7.2.0
    ibm cognos analytics 11.2.0
    ibm cognos analytics 11.1.7