UBUNTU-CVE-2026-33929

See a problem?
Please try reporting it to the source first.

Source

https://ubuntu.com/security/CVE-2026-33929

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-33929.json

JSON Data

https://api.test.osv.dev/v1/vulns/UBUNTU-CVE-2026-33929

Upstream

CVE-2026-33929

Published

2026-04-14T09:16:00Z

Modified

2026-04-16T11:05:39.581974Z

Severity

4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N CVSS Calculator
Ubuntu - medium

Summary

[none]

Details

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache PDFBox Examples. This issue affects the ExtractEmbeddedFiles example in Apache PDFBox: from 2.0.24 through 2.0.36, from 3.0.0 through 3.0.7. Users are recommended to update to version 2.0.37 or 3.0.8 once available. Until then, they should apply the fix provided in GitHub PR 427. The ExtractEmbeddedFiles example contained a path traversal vulnerability (CWE-22) mentioned in CVE-2026-23907. However the change in the releases 2.0.36 and 3.0.7 is flawed because it doesn't consider the file path separator. Because of that, a user having writing rights on /home/ABC could be victim to a malicious PDF resulting in a write attempt to any path starting with /home/ABC, e.g. "/home/ABCDEF". Users who have copied this example into their production code should apply the mentioned change. The example has been changed accordingly and is available in the project repository.

References

Affected packages

Ubuntu:16.04:LTS

libpdfbox-java

Package

Name: libpdfbox-java
Purl: pkg:deb/ubuntu/libpdfbox-java@1:1.8.11+dfsg-1?arch=source&distro=xenial

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1:1.*

1:1.8.7+dfsg-1

1:1.8.10-1

1:1.8.10-2

1:1.8.11+dfsg-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "1:1.8.11+dfsg-1",
            "binary_name": "libfontbox-java"
        },
        {
            "binary_version": "1:1.8.11+dfsg-1",
            "binary_name": "libjempbox-java"
        },
        {
            "binary_version": "1:1.8.11+dfsg-1",
            "binary_name": "libpdfbox-java"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-33929.json"

Ubuntu:18.04:LTS

libpdfbox-java

Package

Name: libpdfbox-java
Purl: pkg:deb/ubuntu/libpdfbox-java@1:1.8.16-2~18.04?arch=source&distro=bionic

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1:1.*

1:1.8.13-1

1:1.8.13-2

1:1.8.16-2~18.04

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "1:1.8.16-2~18.04",
            "binary_name": "libfontbox-java"
        },
        {
            "binary_version": "1:1.8.16-2~18.04",
            "binary_name": "libjempbox-java"
        },
        {
            "binary_version": "1:1.8.16-2~18.04",
            "binary_name": "libpdfbox-java"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-33929.json"

libpdfbox2-java

Package

Name: libpdfbox2-java
Purl: pkg:deb/ubuntu/libpdfbox2-java@2.0.13-2~18.04?arch=source&distro=bionic

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.0.7-1

2.0.8-1

2.0.8-2

2.0.9-1

2.0.13-2~18.04

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "2.0.13-2~18.04",
            "binary_name": "libfontbox2-java"
        },
        {
            "binary_version": "2.0.13-2~18.04",
            "binary_name": "libpdfbox2-java"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-33929.json"

Ubuntu:20.04:LTS

libpdfbox-java

Package

Name: libpdfbox-java
Purl: pkg:deb/ubuntu/libpdfbox-java@1:1.8.16-2?arch=source&distro=focal

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1:1.*

1:1.8.16-2

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "1:1.8.16-2",
            "binary_name": "libfontbox-java"
        },
        {
            "binary_version": "1:1.8.16-2",
            "binary_name": "libjempbox-java"
        },
        {
            "binary_version": "1:1.8.16-2",
            "binary_name": "libpdfbox-java"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-33929.json"

libpdfbox2-java

Package

Name: libpdfbox2-java
Purl: pkg:deb/ubuntu/libpdfbox2-java@2.0.18-1?arch=source&distro=focal

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.0.16-1

2.0.17-1

2.0.18-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "2.0.18-1",
            "binary_name": "libfontbox2-java"
        },
        {
            "binary_version": "2.0.18-1",
            "binary_name": "libpdfbox2-java"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-33929.json"

Ubuntu:22.04:LTS

libpdfbox-java

Package

Name: libpdfbox-java
Purl: pkg:deb/ubuntu/libpdfbox-java@1:1.8.16-2?arch=source&distro=jammy

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1:1.*

1:1.8.16-2

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "1:1.8.16-2",
            "binary_name": "libfontbox-java"
        },
        {
            "binary_version": "1:1.8.16-2",
            "binary_name": "libjempbox-java"
        },
        {
            "binary_version": "1:1.8.16-2",
            "binary_name": "libpdfbox-java"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-33929.json"

libpdfbox2-java

Package

Name: libpdfbox2-java
Purl: pkg:deb/ubuntu/libpdfbox2-java@2.0.25-1?arch=source&distro=jammy

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.0.23-1

2.0.24-2

2.0.25-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "2.0.25-1",
            "binary_name": "libfontbox2-java"
        },
        {
            "binary_version": "2.0.25-1",
            "binary_name": "libpdfbox2-java"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-33929.json"

Ubuntu:24.04:LTS

libpdfbox-java

Package

Name: libpdfbox-java
Purl: pkg:deb/ubuntu/libpdfbox-java@1:1.8.16-5?arch=source&distro=noble

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1:1.*

1:1.8.16-4

1:1.8.16-5

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "1:1.8.16-5",
            "binary_name": "libfontbox-java"
        },
        {
            "binary_version": "1:1.8.16-5",
            "binary_name": "libjempbox-java"
        },
        {
            "binary_version": "1:1.8.16-5",
            "binary_name": "libpdfbox-java"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-33929.json"

libpdfbox2-java

Package

Name: libpdfbox2-java
Purl: pkg:deb/ubuntu/libpdfbox2-java@2.0.29-1?arch=source&distro=noble

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.0.27-2

2.0.29-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "2.0.29-1",
            "binary_name": "libfontbox2-java"
        },
        {
            "binary_version": "2.0.29-1",
            "binary_name": "libpdfbox2-java"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-33929.json"

Ubuntu:25.10

libpdfbox-java

Package

Name: libpdfbox-java
Purl: pkg:deb/ubuntu/libpdfbox-java@1:1.8.16-5?arch=source&distro=questing

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1:1.*

1:1.8.16-5

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "1:1.8.16-5",
            "binary_name": "libfontbox-java"
        },
        {
            "binary_version": "1:1.8.16-5",
            "binary_name": "libjempbox-java"
        },
        {
            "binary_version": "1:1.8.16-5",
            "binary_name": "libpdfbox-java"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-33929.json"

libpdfbox2-java

Package

Name: libpdfbox2-java
Purl: pkg:deb/ubuntu/libpdfbox2-java@2.0.29-1?arch=source&distro=questing

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.0.29-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "2.0.29-1",
            "binary_name": "libfontbox2-java"
        },
        {
            "binary_version": "2.0.29-1",
            "binary_name": "libpdfbox2-java"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-33929.json"