Denial of Service Vulnerability in Pillow by Python
CVE-2023-44271

7.5HIGH

Key Information:

Vendor: Python
Status: Pillow
Vendor: CVE Published:; 3 November 2023

Summary

An issue has been identified in Pillow versions prior to 10.0.0 which can lead to a Denial of Service attack. This vulnerability occurs when the ImageFont component processes lengthy text in an ImageDraw instance, resulting in excessive memory allocation that can potentially cause the service to crash due to exhaustion of memory resources. Users of affected versions should assess their deployments and apply necessary updates to mitigate this risk.

References

https://github.com/python-pillow/Pillow/pull/7244

https://github.com/python-pillow/Pillow/commit/1fe1bb49c4...

https://devhub.checkmarx.com/cve-details/CVE-2023-44271/

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Nov 3, 2023
Vulnerability Reserved
Sep 28, 2023