[jira] [Closed] (PDFBOX-6196) PDFBox 3.0.7 MEDIUM CVE-2026-33929

Mon, 20 Apr 2026 22:50:05 -0700 


     [ 
https://issues.apache.org/jira/browse/PDFBOX-6196?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Andreas Lehmkühler closed PDFBOX-6196.
--------------------------------------
    Resolution: Duplicate

What exactly was the purpose of this ticket?

The PR is already handled in PDFBOX-6180. There is already a public 
announcement of that CVE on our mailing lists and more important, the regular 
jar of pdfbox isn't affected at all, but one of the examples is.

> PDFBox 3.0.7 MEDIUM CVE-2026-33929
> ----------------------------------
>
>                 Key: PDFBOX-6196
>                 URL: https://issues.apache.org/jira/browse/PDFBOX-6196
>             Project: PDFBox
>          Issue Type: Bug
>    Affects Versions: 3.0.7 PDFBox
>            Reporter: William Holmes
>            Priority: Major
>              Labels: vulnerability
>
> -*pdfbox-3.0.7.jar*- this jar isn't affected
> *pdfbox-examples.3.0.7.jar*
> *CVE-2026-33929*
> *Description*
> Improper Limitation of a Pathname to a Restricted Directory ('Path 
> Traversal') vulnerability in Apache PDFBox Examples. This issue affects the 
> ExtractEmbeddedFiles example in Apache PDFBox: from 2.0.24 through 2.0.36, 
> from 3.0.0 through 3.0.7. Users are recommended to update to version 2.0.37 
> or 3.0.8 once available. Until then, they should apply the fix provided in 
> GitHub PR 427. The ExtractEmbeddedFiles example contained a path traversal 
> vulnerability (CWE-22) mentioned in CVE-2026-23907. However the change in the 
> releases 2.0.36 and 3.0.7 is flawed because it doesn't consider the file path 
> separator. Because of that, a user having writing rights on /home/ABC could 
> be victim to a malicious PDF resulting in a write attempt to any path 
> starting with /home/ABC, e.g. "/home/ABCDEF". Users who have copied this 
> example into their production code should apply the mentioned change. The 
> example has been changed accordingly and is available in the project 
> repository.
> *Origin*
> -pdfbox-3.0.7.jar- this jar isn't affected
> pdfbox-examples.3.0.7.jar
> *Risk*
> Exploitable
> {*}References{*}:
> 1. [https://github.com/apache/pdfbox]
> 2. [https://nvd.nist.gov/vuln/detail/CVE-2026-33929]
> 3. [https://github.com/apache/pdfbox/pull/427/changes]
> 4. [https://lists.apache.org/thread/j8l07tgzy9dm8d8n0f3c45h7zg7t3ld6]
> 5. [https://lists.apache.org/thread/op3lyx1ngzy4qycn06l6hljyf28ff0zs]



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to