Apache PDFBox Examples Path Traversal Vulnerability in ExtractEmbeddedFiles

A path traversal vulnerability has been identified in the Apache PDFBox Examples, specifically in the ExtractEmbeddedFiles example. This issue affects versions 2.0.24 prior to 2.0.36 and 3.0.0 prior to 3.0.7. The vulnerability arises because the directory validation logic does not properly handle file path separators, allowing a malicious PDF to exploit the flaw and write to unintended locations. Users who have integrated this example into their production code should apply the recommended fix available in GitHub PR 427.

Impact

Exploitation of this vulnerability could lead to unauthorized file writes outside the intended directory, potentially overwriting existing files or creating new ones in sensitive locations.

Reproduction

The vulnerability can be reproduced by using the ExtractEmbeddedFiles example in an affected version of Apache PDFBox. A malicious PDF file can be crafted to include a payload that exploits the path traversal flaw, such as a file path that bypasses the directory validation and writes to a location the user has permission to access.

Remediation

Users are advised to update to Apache PDFBox version 2.0.37 or 3.0.8, once available. Those who have copied the ExtractEmbeddedFiles example into their production code should apply the fix provided in GitHub PR 427.