Search for vulnerabilities
Vulnerability details: VCID-v8cj-pcn6-juff
Vulnerability ID VCID-v8cj-pcn6-juff
Aliases BIT-pillow-2023-44271
CVE-2023-44271
GHSA-8ghj-p4vj-mr35
PYSEC-2023-227
Summary An issue was discovered in Pillow before 10.0.0. It is a Denial of Service that uncontrollably allocates memory to process a given task, potentially causing a service to crash by having it run out of memory. This occurs for truetype in ImageFont when textlength in an ImageDraw instance operates on a long text argument.
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (4)
CWE-400 Uncontrolled Resource Consumption
CWE-770 Allocation of Resources Without Limits or Throttling
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3 7.5 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-44271.json
epss 0.00137 https://api.first.org/data/v1/epss?cve=CVE-2023-44271
epss 0.00137 https://api.first.org/data/v1/epss?cve=CVE-2023-44271
epss 0.00137 https://api.first.org/data/v1/epss?cve=CVE-2023-44271
epss 0.00137 https://api.first.org/data/v1/epss?cve=CVE-2023-44271
epss 0.00137 https://api.first.org/data/v1/epss?cve=CVE-2023-44271
epss 0.00137 https://api.first.org/data/v1/epss?cve=CVE-2023-44271
epss 0.00137 https://api.first.org/data/v1/epss?cve=CVE-2023-44271
epss 0.00137 https://api.first.org/data/v1/epss?cve=CVE-2023-44271
epss 0.00137 https://api.first.org/data/v1/epss?cve=CVE-2023-44271
epss 0.00137 https://api.first.org/data/v1/epss?cve=CVE-2023-44271
epss 0.00137 https://api.first.org/data/v1/epss?cve=CVE-2023-44271
epss 0.00137 https://api.first.org/data/v1/epss?cve=CVE-2023-44271
epss 0.00137 https://api.first.org/data/v1/epss?cve=CVE-2023-44271
epss 0.00137 https://api.first.org/data/v1/epss?cve=CVE-2023-44271
epss 0.00137 https://api.first.org/data/v1/epss?cve=CVE-2023-44271
epss 0.00137 https://api.first.org/data/v1/epss?cve=CVE-2023-44271
epss 0.00137 https://api.first.org/data/v1/epss?cve=CVE-2023-44271
epss 0.00137 https://api.first.org/data/v1/epss?cve=CVE-2023-44271
epss 0.00137 https://api.first.org/data/v1/epss?cve=CVE-2023-44271
epss 0.00137 https://api.first.org/data/v1/epss?cve=CVE-2023-44271
epss 0.00137 https://api.first.org/data/v1/epss?cve=CVE-2023-44271
epss 0.00137 https://api.first.org/data/v1/epss?cve=CVE-2023-44271
epss 0.00137 https://api.first.org/data/v1/epss?cve=CVE-2023-44271
epss 0.00137 https://api.first.org/data/v1/epss?cve=CVE-2023-44271
epss 0.00137 https://api.first.org/data/v1/epss?cve=CVE-2023-44271
epss 0.00137 https://api.first.org/data/v1/epss?cve=CVE-2023-44271
epss 0.00137 https://api.first.org/data/v1/epss?cve=CVE-2023-44271
epss 0.00137 https://api.first.org/data/v1/epss?cve=CVE-2023-44271
epss 0.00137 https://api.first.org/data/v1/epss?cve=CVE-2023-44271
cvssv3.1 7.5 https://devhub.checkmarx.com/cve-details/CVE-2023-44271
generic_textual HIGH https://devhub.checkmarx.com/cve-details/CVE-2023-44271
cvssv3.1 7.5 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-8ghj-p4vj-mr35
cvssv3.1 7.5 https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2023-227.yaml
generic_textual HIGH https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2023-227.yaml
cvssv3.1 7.5 https://github.com/python-pillow/Pillow
generic_textual HIGH https://github.com/python-pillow/Pillow
cvssv3.1 7.5 https://github.com/python-pillow/Pillow/commit/1fe1bb49c452b0318cad12ea9d97c3bef188e9a7
generic_textual HIGH https://github.com/python-pillow/Pillow/commit/1fe1bb49c452b0318cad12ea9d97c3bef188e9a7
cvssv3.1 7.5 https://github.com/python-pillow/Pillow/pull/7244
generic_textual HIGH https://github.com/python-pillow/Pillow/pull/7244
cvssv3.1 7.5 https://lists.debian.org/debian-lts-announce/2024/03/msg00021.html
generic_textual HIGH https://lists.debian.org/debian-lts-announce/2024/03/msg00021.html
cvssv3.1 7.5 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N2JOEDUJDQLCUII2LQYZYSM7RJL2I3P4
generic_textual HIGH https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N2JOEDUJDQLCUII2LQYZYSM7RJL2I3P4
cvssv3.1 7.5 https://nvd.nist.gov/vuln/detail/CVE-2023-44271
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2023-44271
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-44271.json
https://api.first.org/data/v1/epss?cve=CVE-2023-44271
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-44271
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-50447
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-28219
https://devhub.checkmarx.com/cve-details/CVE-2023-44271
https://devhub.checkmarx.com/cve-details/CVE-2023-44271/
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2023-227.yaml
https://github.com/python-pillow/Pillow
https://github.com/python-pillow/Pillow/commit/1fe1bb49c452b0318cad12ea9d97c3bef188e9a7
https://github.com/python-pillow/Pillow/pull/7244
https://lists.debian.org/debian-lts-announce/2024/03/msg00021.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N2JOEDUJDQLCUII2LQYZYSM7RJL2I3P4
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N2JOEDUJDQLCUII2LQYZYSM7RJL2I3P4/
https://nvd.nist.gov/vuln/detail/CVE-2023-44271
2247820 https://bugzilla.redhat.com/show_bug.cgi?id=2247820
cpe:2.3:a:python:pillow:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:python:pillow:*:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*
GHSA-8ghj-p4vj-mr35 https://github.com/advisories/GHSA-8ghj-p4vj-mr35
RHSA-2024:0345 https://access.redhat.com/errata/RHSA-2024:0345
RHSA-2024:1057 https://access.redhat.com/errata/RHSA-2024:1057
RHSA-2024:3005 https://access.redhat.com/errata/RHSA-2024:3005
USN-6618-1 https://usn.ubuntu.com/6618-1/
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-44271.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://devhub.checkmarx.com/cve-details/CVE-2023-44271
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2023-227.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/python-pillow/Pillow
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/python-pillow/Pillow/commit/1fe1bb49c452b0318cad12ea9d97c3bef188e9a7
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/python-pillow/Pillow/pull/7244
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://lists.debian.org/debian-lts-announce/2024/03/msg00021.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N2JOEDUJDQLCUII2LQYZYSM7RJL2I3P4
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2023-44271
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.34326
EPSS Score 0.00137
Published At July 30, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2025-07-31T08:24:01.308446+00:00 Pypa Importer Import https://github.com/pypa/advisory-database/blob/main/vulns/pillow/PYSEC-2023-227.yaml 37.0.0