PT-2023-9330 · Pillow+9 · Pillow+9

Hugovk

Publicado

2023-06-30

Atualizado

2026-03-31

CVE-2023-44271

CVSS v4.0

8.7

Alta

Vetor

AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions Pillow versions prior to 10.0.0

Description The issue is related to a Denial of Service in Pillow, where the truetype function in ImageFont uncontrollably allocates memory when processing a long text argument in an ImageDraw instance. This can cause a service to crash due to memory exhaustion. The vulnerability can be exploited by a remote attacker to cause a denial of service.

Recommendations For Pillow versions prior to 10.0.0, update to version 10.0.0 or later to resolve the issue. As a temporary workaround, consider restricting the length of text arguments passed to the textlength function in ImageDraw instances to prevent excessive memory allocation.

Correção

DoS

Allocation of Resources Without Limits

Resource Exhaustion

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-770CWE-400

Identificadores relacionados

ALSA-2024:3005

BDU:2024-06540

BIT-PILLOW-2023-44271

CESA-2024_0345

CESA-2024_3005

CVE-2023-44271

DLA-3768-1

DSA-5704-1

GHSA-8GHJ-P4VJ-MR35

INFSA-2024_3005

MGASA-2024-0133

OESA-2023-1856

OPENSUSE-SU-2023_4465-1

OPENSUSE-SU-2023_4528-1

OPENSUSE-SU-2024:13439-1

PYSEC-2023-227

RHSA-2024:0345

RHSA-2024:1057

RHSA-2024:3005

RHSA-2024_0345

RHSA-2024_3005

RLSA-2024:3005

ROSA-SA-2024-2392

SUSE-SU-2023:4465-1

SUSE-SU-2023:4528-1

SUSE-SU-2023:4630-1

SUSE-SU-2023:4631-1

USN-6618-1

USN-8135-1

Produtos afetados

Almalinux

Astra Linux

Centos

Linuxmint

Pillow

Red Hat

Red Os

Rocky Linux

Suse

Ubuntu

PT-2023-9330 · Pillow+9 · Pillow+9

CVE-2023-44271

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 67