Fluid Attacks Database

Description

Pillow Denial of Service vulnerability An issue was discovered in Pillow before 10.0.0. It is a Denial of Service that uncontrollably allocates memory to process a given task, potentially causing a service to crash by having it run out of memory. This occurs for truetype in ImageFont when textlength in an ImageDraw instance operates on a long text argument.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
pypi	pillow	>=0 <10.0.0	10.0.0
debian 11	pillow	=8.1.2+dfsg-0.3 \|\| =8.1.2+dfsg-0.3+deb11u1 \|\| >=0 <8.1.2+dfsg-0.3+deb11u2	8.1.2+dfsg-0.3+deb11u2
debian 12	pillow	=9.4.0-1.1 \|\| >=0 <9.4.0-1.1+deb12u1	9.4.0-1.1+deb12u1
debian 13	pillow	>=0 <10.0.0-1	10.0.0-1
debian 14	pillow	>=0 <10.0.0-1	10.0.0-1
rpm rhel7	python-pillow	<0:2.0.0-24.gitd1c6db8.el7_9	0:2.0.0-24.gitd1c6db8.el7_9
rpm rhel8	python-pillow	<0:5.1.1-20.el8	0:5.1.1-20.el8

Aliases

1. CVE-2023-442712. NVD-2023-442713. OSV-2023-442714. OSV-DEBIAN-2023-442715. GCVE-2023-442716. lists.debian.org7. SECURITY-TRACKER-CVE-2023-44271

References

1. https://github.com/python-pillow/Pillow/pull/72442. https://github.com/python-pillow/Pillow/commit/1fe1bb49c452b0318cad12ea9d97c3bef188e9a73. https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2023-227.yaml4. https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N2JOEDUJDQLCUII2LQYZYSM7RJL2I3P4

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.