Huang Wenjie

**Name of the Vulnerable Software and Affected Versions** metadata-extractor versions up to 2.16.0 **Description** The issue allows an application crash due to uncaught exceptions when parsing a specially crafted JPEG file, potentially leading to a denial of service attack against services using the metadata-extractor library. **Recommendations** For metadata-extractor versions up to 2.16.0, update to a version later than 2.16.0 to resolve the issue. At the moment, there is no information about other specific mitigation measures for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** metadata-extractor versions up to 2.16.0 **Description** The issue allows an attacker to cause a denial of service by allocating large amounts of memory when reading a specially crafted JPEG file, potentially affecting services that use the metadata-extractor library. This can lead to an out-of-memory error even with very small inputs. **Recommendations** For metadata-extractor versions up to 2.16.0, update to a version later than 2.16.0 to resolve the issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** iText versions 7.1.17 through 7.1.17 **Description** The issue is related to an out-of-memory error via the component `readStreamBytesRaw`, which allows attackers to cause a Denial of Service (DoS) via a crafted PDF file. **Recommendations** For iText version 7.1.17, consider updating to version 7.1.18 or later to resolve the issue. As a temporary workaround, consider restricting the use of the `readStreamBytesRaw` component until a patch is available.

**Name of the Vulnerable Software and Affected Versions** iText version 7.1.17 **Description** A stack-based buffer overflow was discovered in the component `ByteBuffer.append`, which allows attackers to cause a Denial of Service (DoS) via a crafted PDF file. **Recommendations** For iText version 7.1.17, consider disabling the `ByteBuffer.append` component until a patch is available to prevent potential Denial of Service (DoS) attacks.

**Name of the Vulnerable Software and Affected Versions** iText version 7.1.17 **Description** The issue allows attackers to cause a Denial of Service (DoS) via a crafted PDF file, exploiting an out-of-bounds exception in the `ARCFOUREncryption.encryptARCFOUR` component. The vendor does not view this as a vulnerability and has not found it to be exploitable. **Recommendations** For version 7.1.17, consider disabling the `ARCFOUREncryption.encryptARCFOUR` component as a temporary workaround to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.