CVE-2023-29408 — Allocation of Resources Without Limits or Throttling in X Image Golang.org X Image Tiff

CWE-770 — Allocation of Resources Without Limits or Throttling8 documents6 sources

Severity

6.5MEDIUMNVD

EPSS

0.4%

top 37.23%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Golang.org X Image Golang.org X Image Tiff Golang.org X Image Golang Image +2 more

Timeline

PublishedAug 2

Latest updateJan 15

Description

The TIFF decoder does not place a limit on the size of compressed tile data. A maliciously-crafted image can exploit this to cause a small image (both in terms of pixel width/height, and encoded size) to make the decoder decode large amounts of compressed data, consuming excessive memory and CPU.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages4 packages

▶CVEListV5golang.org/x_image_golang.org_x_image_tiff< 0.10.0

▶NVDgolang/image< 0.10.0

▶Gogolang.org/x_image< 0.10.0

▶debiandebian/golang-golang-x-image< golang-golang-x-image 0.11.0-1 (forky)

Also affects: Fedora 37, 38

Patches

Patch: go.dev ↗Patch: go.dev ↗Patch: pkg.go.dev ↗

🔴Vulnerability Details

OSV

CVE-2023-29408: The TIFF decoder does not place a limit on the size of compressed tile data↗2023-08-02

▶

OSV

Golang TIFF decoder does not place a limit on the size of compressed tile data↗2023-08-02

▶

GHSA

Golang TIFF decoder does not place a limit on the size of compressed tile data↗2023-08-02

▶

OSV

Excessive resource consumption in golang.org/x/image/tiff↗2023-08-02

▶

📋Vendor Advisories

Oracle

Oracle Oracle Communications Applications Risk Matrix: Core (Golang Go) — CVE-2023-29408↗2025-01-15

▶

Red Hat

golang.org/x/image/tiff: TIFF decoder does not place a limit on the size of compressed tile data↗2023-08-02

▶

Debian

CVE-2023-29408: golang-golang-x-image - The TIFF decoder does not place a limit on the size of compressed tile data. A m...↗2023

▶