{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2023-44271", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-08-02T19:59:51.982Z", "dateReserved": "2023-09-28T00:00:00", "datePublished": "2023-11-03T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-03-22T11:05:57.360369"}, "descriptions": [{"lang": "en", "value": "An issue was discovered in Pillow before 10.0.0. It is a Denial of Service that uncontrollably allocates memory to process a given task, potentially causing a service to crash by having it run out of memory. This occurs for truetype in ImageFont when textlength in an ImageDraw instance operates on a long text argument."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/python-pillow/Pillow/pull/7244"}, {"url": "https://github.com/python-pillow/Pillow/commit/1fe1bb49c452b0318cad12ea9d97c3bef188e9a7"}, {"url": "https://devhub.checkmarx.com/cve-details/CVE-2023-44271/"}, {"name": "FEDORA-2023-1a120657f9", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N2JOEDUJDQLCUII2LQYZYSM7RJL2I3P4/"}, {"name": "[debian-lts-announce] 20240322 [SECURITY] [DLA 3768-1] pillow security update", "tags": ["mailing-list"], "url": "https://lists.debian.org/debian-lts-announce/2024/03/msg00021.html"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T19:59:51.982Z"}, "title": "CVE Program Container", "references": [{"url": "https://github.com/python-pillow/Pillow/pull/7244", "tags": ["x_transferred"]}, {"url": "https://github.com/python-pillow/Pillow/commit/1fe1bb49c452b0318cad12ea9d97c3bef188e9a7", "tags": ["x_transferred"]}, {"url": "https://devhub.checkmarx.com/cve-details/CVE-2023-44271/", "tags": ["x_transferred"]}, {"name": "FEDORA-2023-1a120657f9", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N2JOEDUJDQLCUII2LQYZYSM7RJL2I3P4/"}, {"name": "[debian-lts-announce] 20240322 [SECURITY] [DLA 3768-1] pillow security update", "tags": ["mailing-list", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2024/03/msg00021.html"}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:python:pillow:*:*:*:*:*:*:*:*", "matchCriteriaId": "70ADC73C-9DBB-4903-B4E9-6C2354F2F07A", "versionEndExcluding": "10.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*", "matchCriteriaId": "CC559B26-5DFC-4B7A-A27C-B77DE755DFF9", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in Pillow before 10.0.0. It is a Denial of Service that uncontrollably allocates memory to process a given task, potentially causing a service to crash by having it run out of memory. This occurs for truetype in ImageFont when textlength in an ImageDraw instance operates on a long text argument."}, {"lang": "es", "value": "Se descubri\u00f3 un problema en Pillow antes de la versi\u00f3n 10.0.0. Es una Denegaci\u00f3n de Servicio que asigna memoria de forma incontrolable para procesar una tarea determinada, lo que puede provocar que un servicio falle al quedarse sin memoria. Esto ocurre para truetype en ImageFont cuando la longitud del texto en una instancia de ImageDraw opera con un argumento de texto largo."}], "id": "CVE-2023-44271", "lastModified": "2024-03-22T11:15:46.063", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-11-03T05:15:30.137", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://devhub.checkmarx.com/cve-details/CVE-2023-44271/"}, {"source": "cve@mitre.org", "tags": ["Patch"], "url": "https://github.com/python-pillow/Pillow/commit/1fe1bb49c452b0318cad12ea9d97c3bef188e9a7"}, {"source": "cve@mitre.org", "tags": ["Patch"], "url": "https://github.com/python-pillow/Pillow/pull/7244"}, {"source": "cve@mitre.org", "url": "https://lists.debian.org/debian-lts-announce/2024/03/msg00021.html"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N2JOEDUJDQLCUII2LQYZYSM7RJL2I3P4/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-770"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2024:1057", "cpe": "cpe:/a:redhat:ansible_automation_platform:2.4::el8", "package": "python3x-pillow-0:10.0.1-1.el8ap", "product_name": "Red Hat Ansible Automation Platform 2.4 for RHEL 8", "release_date": "2024-02-29T00:00:00Z"}, {"advisory": "RHSA-2024:1057", "cpe": "cpe:/a:redhat:ansible_automation_platform:2.4::el9", "package": "python-pillow-0:10.0.1-1.el9ap", "product_name": "Red Hat Ansible Automation Platform 2.4 for RHEL 9", "release_date": "2024-02-29T00:00:00Z"}, {"advisory": "RHSA-2024:0345", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "python-pillow-0:2.0.0-24.gitd1c6db8.el7_9", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2024-01-23T00:00:00Z"}, {"advisory": "RHSA-2024:3005", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "python-pillow-0:5.1.1-20.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-05-22T00:00:00Z"}], "bugzilla": {"description": "python-pillow: uncontrolled resource consumption when textlength in an ImageDraw instance operates on a long text argument", "id": "2247820", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2247820"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-400", "details": ["An issue was discovered in Pillow before 10.0.0. It is a Denial of Service that uncontrollably allocates memory to process a given task, potentially causing a service to crash by having it run out of memory. This occurs for truetype in ImageFont when textlength in an ImageDraw instance operates on a long text argument.", "A flaw was found in Pillow. A denial of service issue uncontrollably allocates memory to process a given task, potentially causing a service to crash by having it run out of memory. This occurs for TrueType in ImageFont when text length in an ImageDraw instance operates on a long text argument."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2023-44271", "public_date": "2023-06-30T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-44271\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-44271\nhttps://devhub.checkmarx.com/cve-details/CVE-2023-44271/\nhttps://github.com/python-pillow/Pillow/pull/7244"], "statement": "This security vulnerability is categorized as having a moderate impact because it only results in increased memory consumption when exceptionally long strings are utilized as text input.", "threat_severity": "Moderate", "upstream_fix": "Pillow 10.0.0"}