CVE-2023-44271

CVSS v4.0

8.7

High

Vector

AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions Pillow versions prior to 10.0.0

Description The issue is related to a Denial of Service in Pillow, where the truetype function in ImageFont uncontrollably allocates memory when processing a long text argument in an ImageDraw instance. This can cause a service to crash due to memory exhaustion. The vulnerability can be exploited by a remote attacker to cause a denial of service.

Recommendations For Pillow versions prior to 10.0.0, update to version 10.0.0 or later to resolve the issue. As a temporary workaround, consider restricting the length of text arguments passed to the textlength function in ImageDraw instances to prevent excessive memory allocation.

Fix

DoS

Allocation of Resources Without Limits

Resource Exhaustion

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-770CWE-400

Related Identifiers

ALSA-2024:3005

BDU:2024-06540

BIT-PILLOW-2023-44271

CESA-2024_0345

CESA-2024_3005

CVE-2023-44271

DLA-3768-1

DSA-5704-1

GHSA-8GHJ-P4VJ-MR35

INFSA-2024_3005

MGASA-2024-0133

OESA-2023-1856

OPENSUSE-SU-2023_4465-1

OPENSUSE-SU-2023_4528-1

OPENSUSE-SU-2024:13439-1

PYSEC-2023-227

RHSA-2024:0345

RHSA-2024:1057

RHSA-2024:3005

RHSA-2024_0345

RHSA-2024_3005

RLSA-2024:3005

ROSA-SA-2024-2392

SUSE-SU-2023:4465-1

SUSE-SU-2023:4528-1

SUSE-SU-2023:4630-1

SUSE-SU-2023:4631-1

USN-6618-1

USN-8135-1

Affected Products

Almalinux

Astra Linux

Centos

Linuxmint

Pillow

Red Hat

Red Os

Rocky Linux

Suse

Ubuntu

CVE-2023-44271

Weakness Enumeration

Related Identifiers

Affected Products

References · 67