Published: 01/04/2021 Updated: 07/11/2023

CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10

CVSS v3 Base Score: 7.5 | Impact Score: 3.6 | Exploitability Score: 3.9

VMScore: 445

Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N

models/metadata.py in the pikepdf package 1.3.0 up to and including 2.9.2 for Python allows XXE when parsing XMP metadata entries.

Vulnerable Product	Search on Vulmon	Subscribe to Product
pikepdf project pikepdf
fedoraproject fedora 32
fedoraproject fedora 33

Debian Bug report logs - #986274 pikepdf: CVE-2021-29421 Package: src:pikepdf; Maintainer for src:pikepdf is Debian Python Team <team+python@trackerdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Fri, 2 Apr 2021 09:09:01 UTC Severity: grave Tags: security, upstream Found in version pikepdf ...

There's a flaw in the pikepdf Python library's XMP metadata parsing functionality An attacker who is able to submit a crafted PDF file to be processed by pikepdf could trigger an XML External Entity (XXE) injection The highest threat of this flaw is to confidentiality of data ...

models/metadatapy in the pikepdf package 130 through 292 for Python allows XML external entity injection (XXE) when parsing XMP metadata entries ...

CWE-611 https://github.com/pikepdf/pikepdf/commit/3f38f73218e5e782fe411ccbb3b44a793c0b343a https://github.com/pikepdf/pikepdf/blob/v2.10.0/docs/release_notes.rst#v2100 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3QFLBBYGEDNXJ7FS6PIWTVI4T4BUPGEQ/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/36P4HTLBJPO524WMQWW57N3QRF4RFSJG/https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=986274 https://nvd.nist.gov https://access.redhat.com/security/cve/cve-2021-29421

CVE-2021-29421

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

References

Vulmon Search

About

Products

Connect