Vulnerability Description
An issue was discovered in Pillow before 10.0.0. It is a Denial of Service that uncontrollably allocates memory to process a given task, potentially causing a service to crash by having it run out of memory. This occurs for truetype in ImageFont when textlength in an ImageDraw instance operates on a long text argument.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Python | Pillow | < 10.0.0 |
| Fedoraproject | Fedora | 38 |
Related Weaknesses (CWE)
References
- https://devhub.checkmarx.com/cve-details/CVE-2023-44271/Third Party Advisory
- https://github.com/python-pillow/Pillow/commit/1fe1bb49c452b0318cad12ea9d97c3befPatch
- https://github.com/python-pillow/Pillow/pull/7244Patch
- https://lists.debian.org/debian-lts-announce/2024/03/msg00021.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproMailing ListThird Party Advisory
- https://devhub.checkmarx.com/cve-details/CVE-2023-44271/Third Party Advisory
- https://github.com/python-pillow/Pillow/commit/1fe1bb49c452b0318cad12ea9d97c3befPatch
- https://github.com/python-pillow/Pillow/pull/7244Patch
- https://lists.debian.org/debian-lts-announce/2024/03/msg00021.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproMailing ListThird Party Advisory
FAQ
What is CVE-2023-44271?
CVE-2023-44271 is a vulnerability with a CVSS score of 7.5 (HIGH). An issue was discovered in Pillow before 10.0.0. It is a Denial of Service that uncontrollably allocates memory to process a given task, potentially causing a service to crash by having it run out of ...
How severe is CVE-2023-44271?
CVE-2023-44271 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-44271?
Check the references section above for vendor advisories and patch information. Affected products include: Python Pillow, Fedoraproject Fedora.