CVE-2023-44271
python-pillow: uncontrolled resource consumption when textlength in an ImageDraw instance operates on a long text argument
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
An issue was discovered in Pillow before 10.0.0. It is a Denial of Service that uncontrollably allocates memory to process a given task, potentially causing a service to crash by having it run out of memory. This occurs for truetype in ImageFont when textlength in an ImageDraw instance operates on a long text argument.
Se descubrió un problema en Pillow antes de la versión 10.0.0. Es una Denegación de Servicio que asigna memoria de forma incontrolable para procesar una tarea determinada, lo que puede provocar que un servicio falle al quedarse sin memoria. Esto ocurre para truetype en ImageFont cuando la longitud del texto en una instancia de ImageDraw opera con un argumento de texto largo.
A flaw was found in Pillow. A denial of service issue uncontrollably allocates memory to process a given task, potentially causing a service to crash by having it run out of memory. This occurs for TrueType in ImageFont when text length in an ImageDraw instance operates on a long text argument.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2023-09-28 CVE Reserved
- 2023-11-03 CVE Published
- 2024-08-02 CVE Updated
- 2024-11-09 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-400: Uncontrolled Resource Consumption
- CWE-770: Allocation of Resources Without Limits or Throttling
CAPEC
References (7)
URL | Tag | Source |
---|---|---|
https://devhub.checkmarx.com/cve-details/CVE-2023-44271 | Third Party Advisory | |
https://lists.debian.org/debian-lts-announce/2024/03/msg00021.html | Mailing List |
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://github.com/python-pillow/Pillow/commit/1fe1bb49c452b0318cad12ea9d97c3bef188e9a7 | 2024-03-22 | |
https://github.com/python-pillow/Pillow/pull/7244 | 2024-03-22 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Python Search vendor "Python" | Pillow Search vendor "Python" for product "Pillow" | < 10.0.0 Search vendor "Python" for product "Pillow" and version " < 10.0.0" | - |
Affected
| ||||||
Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 38 Search vendor "Fedoraproject" for product "Fedora" and version "38" | - |
Affected
|