
PEACH
Un cadre d’isolation des locataires
adawolfa/isdoc reads ISDOC invoices from ISDOCX (ZIP) archives and from PDF files with embedded ISDOC documents and supplements. Affected versions inflate ZIP entries and read embedded files without validating their uncompressed size, so a small crafted file can amplify into gigabytes:
getFromName() inflates the ISDOC document and binary supplements with no size cap.saveTo() disk-fill — the supplement copy loop writes inflated bytes to disk with no running byte budget, so a bomb can exhaust disk even if the central-directory size is under-reported.Length is enormous is read and digested with no upper bound.
Exploitation requires the application to parse an attacker-supplied .isdocx or .pdf (the typical use is generating files or parsing files from trusted vendors, so a user must be induced to process a malicious file). When that happens the process can be driven to exhaust memory or disk, causing denial of service. There is no confidentiality or integrity impact — availability only.Fixed in 1.4.3, 1.5.1, 1.6.1 and 2.0.0. The readers now:
statName()) and reject entries over a cap before inflating — 256 KB (DocumentSizeLimit) for the ISDOC document, 32 MB (SizeLimit) for supplements;saveTo() and unlink the partial file on overflow;Length exceeds 256 MB before reading or digesting them.
New exceptions ReaderException::zipEntryTooLarge(), SupplementException::supplementTooLarge() and ReaderException::pdfSupplementTooLarge() surface the rejection.Versions before 1.4.0 (the 1.0–1.3 lines) are also affected and will not receive a fix, because they target end-of-life PHP. Users on those lines should upgrade to a maintained release — 1.4.3, 1.5.1, 1.6.1, or 2.0.0.
No code-level workaround exists in affected versions; upgrading is the fix. As mitigation, restrict parsing to trusted input, or enforce an external size / decompression limit (validate ZIP entry sizes, cap process memory) before handing files to the library.
Source: NVD
Évaluation gratuite des vulnérabilités
Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.
Obtenez une démo personnalisée
"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."