CVE-2023-44271

EPSS 0.14%
Published 03.11.2023 05:15:30
Last modified 21.11.2024 08:25:33
Source cve@mitre.org
Teams watchlist Login
Open Login

An issue was discovered in Pillow before 10.0.0. It is a Denial of Service that uncontrollably allocates memory to process a given task, potentially causing a service to crash by having it run out of memory. This occurs for truetype in ImageFont when textlength in an ImageDraw instance operates on a long text argument.

Affected products Warnungen 0 Metrics 2 CWE 1 References 8

Data is provided by the National Vulnerability Database (NVD)

Python ≫ Pillow Version < 10.0.0

Fedoraproject ≫ Fedora Version38

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.14%	0.342

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-770 Allocation of Resources Without Limits or Throttling

The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.

https://lists.debian.org/debian-lts-announce/2024/03/msg00021.html

https://devhub.checkmarx.com/cve-details/CVE-2023-44271/

Third Party Advisory

https://github.com/python-pillow/Pillow/commit/1fe1bb49c452b0318cad12ea9d97c3bef188e9a7

Patch

https://github.com/python-pillow/Pillow/pull/7244

Patch

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N2JOEDUJDQLCUII2LQYZYSM7RJL2I3P4/

Third Party Advisory

Mailing List

https://nvd.nist.gov/vuln/detail/CVE-2023-44271

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-44271

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-44271

EUVD