Fluid Attacks Database

Description

An attacker can craft a malformed TIFF image which will consume a significant amount of memory when passed to DecodeConfig. This could lead to a denial of service.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
go	cs.opensource.google/go/x/net	<0	-
debian 12	golang-golang-x-image	>=0 <0.5.0-1	0.5.0-1
debian 11	golang-golang-x-image	=0.0~git20200119.58c2397-1 \|\| =0.0~git20210628.a66eb64-1 \|\| =0.0~git20211028.6944b10-1 \|\| =0.0~git20211028.6944b10-1~bpo11+1 \|\| =0.1.0-1 \|\| =0.11.0-1 \|\| =0.12.0-1 \|\| =0.13.0-1 \|\| =0.14.0-1 \|\| =0.15.0-1 \|\| =0.16.0-1 \|\| =0.18.0-1 \|\| =0.2.0-1 \|\| =0.32.0-1 \|\| =0.35.0-1 \|\| =0.38.0-1 \|\| =0.39.0-1 \|\| =0.5.0-1 \|\| =0.7.0-1 \|\| =0.8.0-1 \|\| =0.9.0-1	-
debian 13	golang-golang-x-image	>=0 <0.5.0-1	0.5.0-1
debian 14	golang-golang-x-image	>=0 <0.5.0-1	0.5.0-1
go	golang.org/x/image	>=0 <0.5.0	0.5.0

Aliases

1. CVE-2022-417272. NVD-2022-417273. OSV-2022-417274. OSV-DEBIAN-2022-417275. GCVE-2022-417276. SECURITY-TRACKER-CVE-2022-41727

References

1. https://go.dev/cl/4681952. https://go.dev/issue/580033. https://groups.google.com/g/golang-announce/c/ag-FiyjlD5o4. https://pkg.go.dev/vuln/GO-2023-15725. https://lists.fedoraproject.org/archives/list/[email protected]/message/KO54NBDUJXKAZNGCFOEYL2LKK2RQP6K66. https://lists.fedoraproject.org/archives/list/[email protected]/message/XWH6Q7NVM4MV3GWFEU4PA67AWZHVFJQ27. https://lists.fedoraproject.org/archives/list/[email protected]/message/XZTEP6JYILRBNDTNWTEQ5D4QUUVQBESK

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.