DEBIAN-CVE-2026-33929

See a problem?
Please try reporting it to the source first.

Source

https://security-tracker.debian.org/tracker/CVE-2026-33929

Import Source

https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-33929.json

JSON Data

https://api.osv.dev/v1/vulns/DEBIAN-CVE-2026-33929

Upstream

CVE-2026-33929

Published

2026-04-14T09:16:36.297Z

Modified

2026-04-28T20:31:39.663894Z

Severity

4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N CVSS Calculator

Summary

[none]

Details

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache PDFBox Examples. This issue affects the ExtractEmbeddedFiles example in Apache PDFBox: from 2.0.24 through 2.0.36, from 3.0.0 through 3.0.7. Users are recommended to update to version 2.0.37 or 3.0.8 once available. Until then, they should apply the fix provided in GitHub PR 427. The ExtractEmbeddedFiles example contained a path traversal vulnerability (CWE-22) mentioned in CVE-2026-23907. However the change in the releases 2.0.36 and 3.0.7 is flawed because it doesn't consider the file path separator. Because of that, a user having writing rights on /home/ABC could be victim to a malicious PDF resulting in a write attempt to any path starting with /home/ABC, e.g. "/home/ABCDEF". Users who have copied this example into their production code should apply the mentioned change. The example has been changed accordingly and is available in the project repository.

References

https://security-tracker.debian.org/tracker/CVE-2026-33929

Affected packages

Debian:11

libpdfbox-java

Package

Name: libpdfbox-java
Purl: pkg:deb/debian/libpdfbox-java?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1:1.*

1:1.8.16-2

1:1.8.16-3

1:1.8.16-4

1:1.8.16-5

Ecosystem specific

{
    "urgency": "unimportant"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-33929.json"

libpdfbox2-java

Package

Name: libpdfbox2-java
Purl: pkg:deb/debian/libpdfbox2-java?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.0.23-1

2.0.24-1

2.0.24-2

2.0.25-1

2.0.26-1

2.0.27-1

2.0.27-2

2.0.29-1

Ecosystem specific

{
    "urgency": "unimportant"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-33929.json"

Debian:12

libpdfbox-java

Package

Name: libpdfbox-java
Purl: pkg:deb/debian/libpdfbox-java?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1:1.*

1:1.8.16-2

1:1.8.16-3

1:1.8.16-4

1:1.8.16-5

Ecosystem specific

{
    "urgency": "unimportant"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-33929.json"

libpdfbox2-java

Package

Name: libpdfbox2-java
Purl: pkg:deb/debian/libpdfbox2-java?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.0.27-2

2.0.29-1

Ecosystem specific

{
    "urgency": "unimportant"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-33929.json"

Debian:13

libpdfbox-java

Package

Name: libpdfbox-java
Purl: pkg:deb/debian/libpdfbox-java?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1:1.*

1:1.8.16-5

Ecosystem specific

{
    "urgency": "unimportant"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-33929.json"

libpdfbox2-java

Package

Name: libpdfbox2-java
Purl: pkg:deb/debian/libpdfbox2-java?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.0.29-1

Ecosystem specific

{
    "urgency": "unimportant"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-33929.json"

Debian:14

libpdfbox-java

Package

Name: libpdfbox-java
Purl: pkg:deb/debian/libpdfbox-java?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1:1.*

1:1.8.16-5

Ecosystem specific

{
    "urgency": "unimportant"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-33929.json"

libpdfbox2-java

Package

Name: libpdfbox2-java
Purl: pkg:deb/debian/libpdfbox2-java?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.0.29-1

Ecosystem specific

{
    "urgency": "unimportant"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-33929.json"