CVE-2022-41727Allocation of Resources Without Limits or Throttling in X Image Golang.org X Image Tiff

CWE-770Allocation of Resources Without Limits or ThrottlingCWE-400Uncontrolled Resource Consumption7 documents5 sources
Severity
5.5MEDIUMNVD
EPSS
0.0%
top 95.46%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
5
Golang.org X Image Golang.org X Image TiffGolang.org X ImageGolang Image+2 more
Timeline
PublishedFeb 28

Description

An attacker can craft a malformed TIFF image which will consume a significant amount of memory when passed to DecodeConfig. This could lead to a denial of service.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:HExploitability: 1.8 | Impact: 3.6

Affected Packages4 packages

NVDgolang/image< 0.5.0
Gogolang.org/x_image< 0.5.0
debiandebian/golang-golang-x-image< golang-golang-x-image 0.5.0-1 (bookworm)

Also affects: Fedora 37, 38

Patches

Patch: go.devPatch: go.dev

🔴Vulnerability Details

4
OSV
CVE-2022-41727: An attacker can craft a malformed TIFF image which will consume a significant amount of memory when passed to DecodeConfig2023-02-28
OSV
Uncontrolled Resource Consumption in golang.org/x/image2023-02-17
GHSA
Uncontrolled Resource Consumption in golang.org/x/image2023-02-17
OSV
Denial of service via crafted TIFF image in golang.org/x/image/tiff2023-02-16

📋Vendor Advisories

2
Red Hat
golang.org/x/image: Uncontrolled Resource Consumption2023-02-28
Debian
CVE-2022-41727: golang-golang-x-image - An attacker can craft a malformed TIFF image which will consume a significant am...2022
CVE-2022-41727 — MEDIUM severity | cvebase