PDFBox before versions 1.8.15 and 2.0.11 has an infinitre loop in AFMParser.java. An attacker could exploit this to cause an out of memory error via a crafted PDF.
Upstream Release Notes:
Created pdfbox tracking bugs for this issue:
Affects: fedora-all [bug 1597491]
While Fuse 6.3 and Fuse 7.0 ship vulnerable artifact via camel-pdfbox, however, the flawed code is not being used therefore no execution path leads to an exposure to this vulnerability, so both Fuse 6.3, 7 standalone are not affected. However, Fuse 7.0 on OpenShift ship vulnerable artifact via maven BOM, so setting Fuse 7.0 as affected for this reason only.
This issue has been addressed in the following products:
Red Hat JBoss Fuse
Via RHSA-2018:2669 https://access.redhat.com/errata/RHSA-2018:2669