CVE-2017-12595

Published: Aug 27, 2017Modified: May 13, 2026

7.8

Vector

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Exploitability: 1.8 / Impact: 5.9

Source: NVD

Description

The tokenizer in QPDF 6.0.0 and 7.0.b1 is recursive for arrays and dictionaries, which allows remote attackers to cause a denial of service (stack consumption and segmentation fault) or possibly have unspecified other impact via a PDF document with a deep data structure, as demonstrated by a crash in QPDFObjectHandle::parseInternal in libqpdf/QPDFObjectHandle.cc.

Affected (2)

Products: Qpdf Project: Qpdf

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Qpdf Project Qpdf	Version 6.0.0
Qpdf Project Qpdf	Version 7.0.b1

Related CWEs

Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

References (6)

https://github.com/qpdf/qpdf/commit/ad527a64f93dca12f6aabab2ca99ae5eb352ab4b

Source: cve@mitre.org

Issue TrackingPatchThird Party Advisory

https://github.com/qpdf/qpdf/issues/146

Source: cve@mitre.org

Issue TrackingPatchThird Party Advisory

https://usn.ubuntu.com/3638-1/

Source: cve@mitre.org

https://github.com/qpdf/qpdf/commit/ad527a64f93dca12f6aabab2ca99ae5eb352ab4b

Source: af854a3a-2127-422b-91ae-364da2661108

Issue TrackingPatchThird Party Advisory

https://github.com/qpdf/qpdf/issues/146

Source: af854a3a-2127-422b-91ae-364da2661108

Issue TrackingPatchThird Party Advisory

https://usn.ubuntu.com/3638-1/

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.