Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
pdfminer.six vulnerable to Arbitrary Code Execution via Crafted PDF Input
Vulnerability Description
Pdfminer.six is a community maintained fork of the original PDFMiner, a tool for extracting information from PDF documents. Prior to version 20251107, pdfminer.six will execute arbitrary code from a malicious pickle file if provided with a malicious PDF file. The `CMapDB._load_data()` function in pdfminer.six uses `pickle.loads()` to deserialize pickle files. These pickle files are supposed to be part of the pdfminer.six distribution stored in the `cmap/` directory, but a malicious PDF can specify an alternative directory and filename as long as the filename ends in `.pickle.gz`. A malicious, zipped pickle file can then contain code which will automatically execute when the PDF is processed. Version 20251107 fixes the issue.
CVSS Information
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Vulnerability Type
可信数据的反序列化
Vulnerability Title
pdfminer.six 代码问题漏洞
Vulnerability Description
pdfminer.six是pdfminer开源的一款用于从PDF文档中提取信息的工具。 pdfminer.six 20251107之前版本存在代码问题漏洞,该漏洞源于CMapDB._load_data函数使用pickle.loads反序列化恶意pickle文件,可能导致执行任意代码。
CVSS Information
N/A
Vulnerability Type
N/A