PyPi: Pillow

CVE-2023-44271

Safety vulnerability ID: 62156

This vulnerability was reviewed by experts

The information on this page was manually curated by our Cybersecurity Intelligence Team.

Created at Nov 03, 2023 Updated at Nov 29, 2024

Scan your Python projects for vulnerabilities →

Advisory

Pillow 10.0.0 includes a fix for CVE-2023-44271: Denial of Service that uncontrollably allocates memory to process a given task, potentially causing a service to crash by having it run out of memory. This occurs for truetype in ImageFont when textlength in an ImageDraw instance operates on a long text argument.
https://github.com/python-pillow/Pillow/pull/7244

Affected package

pillow

Latest version: 11.0.0

Python Imaging Library (Fork)

Affected versions

Fixed versions

Vulnerability changelog

An issue was discovered in Pillow before 10.0.0. It is a Denial of Service that uncontrollably allocates memory to process a given task, potentially causing a service to crash by having it run out of memory. This occurs for truetype in ImageFont when textlength in an ImageDraw instance operates on a long text argument. See CVE-2023-44271.

MISC:https://devhub.checkmarx.com/cve-details/CVE-2023-44271/: https://devhub.checkmarx.com/cve-details/CVE-2023-44271/
MISC:https://github.com/python-pillow/Pillow/commit/1fe1bb49c452b0318cad12ea9d97c3bef188e9a7: https://github.com/python-pillow/Pillow/commit/1fe1bb49c452b0318cad12ea9d97c3bef188e9a7
MISC:https://github.com/python-pillow/Pillow/pull/7244: https://github.com/python-pillow/Pillow/pull/7244

Resources

Use this package?

Scan your Python project for dependency vulnerabilities in two minutes

Scan your application

Severity Details

CVSS Base Score

HIGH 7.5

CVSS v3 Details

HIGH 7.5

Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality Impact (C): NONE
Integrity Impact (I): NONE
Availability Availability (A): HIGH