GHSA-fg3j-q579-v8x4 · Severity: medium · Ecosystem: maven — Uncontrolled memory consumption
In Apache PDFBox, a carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
Conclusion & alert: CVE-2021-31811 is rated Moderate Risk (55.8/100): CVSS Medium severity, with medium exploitation likelihood (EPSS 3.45%). Core evidence: EPSS rose +3.24% over the last day, indicating growing attacker interest. Mandatory action: Review affected assets and schedule remediation.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 0.21% | 3.45% | +3.24% |
| 2 | 2026-05-26 | 0.52% | 0.21% | -0.31% |
| 3 | 2026-04-30 | — | 0.52% | — |
Full EPSS history (26 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 5.5 | 3.1 | MEDIUM |
|
1.8 | 3.6 | [email protected] |
| 4.3 | 2.0 | MEDIUM |
|
8.6 | 2.9 | [email protected] |
GHSA-fg3j-q579-v8x4 · Severity: medium · Ecosystem: maven — Uncontrolled memory consumption
| vendor | priority | summary | link |
|---|---|---|---|
debian
|
not yet assigned | CVE-2021-31811 not yet assigned priority: Debian including 2 source packages (libpdfbox-java, libpdfbox2-java), 10 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): open 6, resolved 4. | https://security-tracker.debian.org/tracker/CVE-2021-31811 |
redhat
|
low | — | https://access.redhat.com/security/cve/CVE-2021-31811 |
suse
|
medium | CVE-2021-31811 severity moderate: SUSE including 1 source package names (apache-pdfbox), 14 product×package rows across 14 product lines (SUSE CaaS Platform 4.0, SUSE Enterprise Storage 6, … (14 product lines)): Known Not Affected 14. | https://www.suse.com/security/cve/CVE-2021-31811/ |
ubuntu
|
low | CVE-2021-31811 low priority: Ubuntu including 2 source packages (libpdfbox-java, libpdfbox2-java), 32 status rows across 16 suites (bionic, focal, groovy, hirsute, impish, jammy, kinetic, lunar, mantic, noble, oracular, plucky, questing, trusty, upstream, xenial): ignored 17, needs-triage 13, DNE 2. | https://ubuntu.com/security/CVE-2021-31811 |
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| apache | pdfbox | >= 2.0.0, <= 2.0.23 | cpe:2.3:a:apache:pdfbox:*:*:*:*:*:*:*:* |
| fedoraproject | fedora | 33 | cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:* |
| fedoraproject | fedora | 34 | cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:* |
| oracle | banking_corporate_lending_process_management | 14.2.0 | cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.2.0:*:*:*:*:*:*:* |
| oracle | banking_corporate_lending_process_management | 14.3.0 | cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.3.0:*:*:*:*:*:*:* |
| oracle | banking_corporate_lending_process_management | 14.5.0 | cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.5.0:*:*:*:*:*:*:* |
| oracle | banking_credit_facilities_process_management | 14.2.0 | cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.2.0:*:*:*:*:*:*:* |
| oracle | banking_credit_facilities_process_management | 14.3.0 | cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.3.0:*:*:*:*:*:*:* |
| oracle | banking_credit_facilities_process_management | 14.5.0 | cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.5.0:*:*:*:*:*:*:* |
| oracle | banking_supply_chain_finance | 14.2.0 | cpe:2.3:a:oracle:banking_supply_chain_finance:14.2.0:*:*:*:*:*:*:* |
| oracle | banking_supply_chain_finance | 14.3.0 | cpe:2.3:a:oracle:banking_supply_chain_finance:14.3.0:*:*:*:*:*:*:* |
| oracle | banking_supply_chain_finance | 14.5.0 | cpe:2.3:a:oracle:banking_supply_chain_finance:14.5.0:*:*:*:*:*:*:* |
| oracle | banking_trade_finance | 14.5 | cpe:2.3:a:oracle:banking_trade_finance:14.5:*:*:*:*:*:*:* |
| oracle | banking_treasury_management | 14.5 | cpe:2.3:a:oracle:banking_treasury_management:14.5:*:*:*:*:*:*:* |
| oracle | flexcube_universal_banking | >= 14.0.0, <= 14.3.0 | cpe:2.3:a:oracle:flexcube_universal_banking:*:*:*:*:*:*:*:* |
| oracle | flexcube_universal_banking | 14.5 | cpe:2.3:a:oracle:flexcube_universal_banking:14.5:*:*:*:*:*:*:* |
| oracle | outside_in_technology | 8.5.5 | cpe:2.3:a:oracle:outside_in_technology:8.5.5:*:*:*:*:*:*:* |
| oracle | primavera_unifier | >= 17.7, <= 17.12 | cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:* |
| oracle | primavera_unifier | 18.8 | cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:* |
| oracle | primavera_unifier | 19.12 | cpe:2.3:a:oracle:primavera_unifier:19.12:*:*:*:*:*:*:* |
| oracle | primavera_unifier | 20.12 | cpe:2.3:a:oracle:primavera_unifier:20.12:*:*:*:*:*:*:* |
| oracle | retail_customer_management_and_segmentation_foundation | 18.1 | cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:18.1:*:*:*:*:*:*:* |
| oracle | communications_messaging_server | 8.1 | cpe:2.3:o:oracle:communications_messaging_server:8.1:*:*:*:*:*:*:* |