CVE-2023-29407Excessive Iteration in X Image Golang.org X Image Tiff

CWE-834Excessive Iteration7 documents5 sources
Severity
6.5MEDIUMNVD
EPSS
0.2%
top 52.64%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
5
Golang.org X Image Golang.org X Image TiffGolang.org X ImageGolang Image+2 more
Timeline
PublishedAug 2

Description

A maliciously-crafted image can cause excessive CPU consumption in decoding. A tiled image with a height of 0 and a very large width can cause excessive CPU consumption, despite the image size (width * height) appearing to be zero.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages4 packages

NVDgolang/image< 0.10.0
Gogolang.org/x_image< 0.10.0
debiandebian/golang-golang-x-image< golang-golang-x-image 0.11.0-1 (forky)

Also affects: Fedora 37, 38

Patches

Patch: go.devPatch: pkg.go.devPatch: go.dev

🔴Vulnerability Details

4
GHSA
Golang TIFF decoder vulnerable to excessive CPU consumption2023-08-02
OSV
CVE-2023-29407: A maliciously-crafted image can cause excessive CPU consumption in decoding2023-08-02
OSV
Excessive CPU consumption when decoding 0-height images in golang.org/x/image/tiff2023-08-02
OSV
Golang TIFF decoder vulnerable to excessive CPU consumption2023-08-02

📋Vendor Advisories

2
Red Hat
golang.org/x/image/tiff: excessive CPU consumption in decoding2023-08-02
Debian
CVE-2023-29407: golang-golang-x-image - A maliciously-crafted image can cause excessive CPU consumption in decoding. A t...2023
CVE-2023-29407 — Excessive Iteration | cvebase