Search for vulnerabilities
Vulnerability details: VCID-vyep-db8n-aaar
Vulnerability ID VCID-vyep-db8n-aaar
Aliases BIT-pillow-2023-44271
CVE-2023-44271
GHSA-8ghj-p4vj-mr35
PYSEC-2023-227
Summary An issue was discovered in Pillow before 10.0.0. It is a Denial of Service that uncontrollably allocates memory to process a given task, potentially causing a service to crash by having it run out of memory. This occurs for truetype in ImageFont when textlength in an ImageDraw instance operates on a long text argument.
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (4)
CWE-400 Uncontrolled Resource Consumption
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-770 Allocation of Resources Without Limits or Throttling
System Score Found at
cvssv3.1 8.1 https://access.redhat.com/errata/RHSA-2024:1057
ssvc Track https://access.redhat.com/errata/RHSA-2024:1057
cvssv3 7.5 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-44271.json
epss 0.00065 https://api.first.org/data/v1/epss?cve=CVE-2023-44271
epss 0.00085 https://api.first.org/data/v1/epss?cve=CVE-2023-44271
epss 0.00085 https://api.first.org/data/v1/epss?cve=CVE-2023-44271
epss 0.00085 https://api.first.org/data/v1/epss?cve=CVE-2023-44271
epss 0.00085 https://api.first.org/data/v1/epss?cve=CVE-2023-44271
epss 0.00085 https://api.first.org/data/v1/epss?cve=CVE-2023-44271
epss 0.00085 https://api.first.org/data/v1/epss?cve=CVE-2023-44271
epss 0.00085 https://api.first.org/data/v1/epss?cve=CVE-2023-44271
epss 0.00085 https://api.first.org/data/v1/epss?cve=CVE-2023-44271
epss 0.00101 https://api.first.org/data/v1/epss?cve=CVE-2023-44271
epss 0.00101 https://api.first.org/data/v1/epss?cve=CVE-2023-44271
epss 0.00101 https://api.first.org/data/v1/epss?cve=CVE-2023-44271
epss 0.00101 https://api.first.org/data/v1/epss?cve=CVE-2023-44271
epss 0.00101 https://api.first.org/data/v1/epss?cve=CVE-2023-44271
epss 0.00101 https://api.first.org/data/v1/epss?cve=CVE-2023-44271
epss 0.00101 https://api.first.org/data/v1/epss?cve=CVE-2023-44271
epss 0.00148 https://api.first.org/data/v1/epss?cve=CVE-2023-44271
epss 0.00148 https://api.first.org/data/v1/epss?cve=CVE-2023-44271
epss 0.00148 https://api.first.org/data/v1/epss?cve=CVE-2023-44271
epss 0.00148 https://api.first.org/data/v1/epss?cve=CVE-2023-44271
epss 0.00148 https://api.first.org/data/v1/epss?cve=CVE-2023-44271
epss 0.00148 https://api.first.org/data/v1/epss?cve=CVE-2023-44271
epss 0.00148 https://api.first.org/data/v1/epss?cve=CVE-2023-44271
epss 0.00148 https://api.first.org/data/v1/epss?cve=CVE-2023-44271
epss 0.00148 https://api.first.org/data/v1/epss?cve=CVE-2023-44271
epss 0.00148 https://api.first.org/data/v1/epss?cve=CVE-2023-44271
epss 0.00148 https://api.first.org/data/v1/epss?cve=CVE-2023-44271
epss 0.00148 https://api.first.org/data/v1/epss?cve=CVE-2023-44271
epss 0.00148 https://api.first.org/data/v1/epss?cve=CVE-2023-44271
epss 0.00148 https://api.first.org/data/v1/epss?cve=CVE-2023-44271
epss 0.00148 https://api.first.org/data/v1/epss?cve=CVE-2023-44271
epss 0.00148 https://api.first.org/data/v1/epss?cve=CVE-2023-44271
epss 0.00148 https://api.first.org/data/v1/epss?cve=CVE-2023-44271
epss 0.00148 https://api.first.org/data/v1/epss?cve=CVE-2023-44271
epss 0.00148 https://api.first.org/data/v1/epss?cve=CVE-2023-44271
epss 0.00148 https://api.first.org/data/v1/epss?cve=CVE-2023-44271
epss 0.00148 https://api.first.org/data/v1/epss?cve=CVE-2023-44271
epss 0.00148 https://api.first.org/data/v1/epss?cve=CVE-2023-44271
epss 0.00148 https://api.first.org/data/v1/epss?cve=CVE-2023-44271
epss 0.00148 https://api.first.org/data/v1/epss?cve=CVE-2023-44271
epss 0.00148 https://api.first.org/data/v1/epss?cve=CVE-2023-44271
epss 0.00148 https://api.first.org/data/v1/epss?cve=CVE-2023-44271
epss 0.00148 https://api.first.org/data/v1/epss?cve=CVE-2023-44271
epss 0.00148 https://api.first.org/data/v1/epss?cve=CVE-2023-44271
epss 0.00148 https://api.first.org/data/v1/epss?cve=CVE-2023-44271
epss 0.00148 https://api.first.org/data/v1/epss?cve=CVE-2023-44271
epss 0.00148 https://api.first.org/data/v1/epss?cve=CVE-2023-44271
epss 0.00148 https://api.first.org/data/v1/epss?cve=CVE-2023-44271
epss 0.00148 https://api.first.org/data/v1/epss?cve=CVE-2023-44271
epss 0.00148 https://api.first.org/data/v1/epss?cve=CVE-2023-44271
epss 0.00148 https://api.first.org/data/v1/epss?cve=CVE-2023-44271
epss 0.00148 https://api.first.org/data/v1/epss?cve=CVE-2023-44271
epss 0.00148 https://api.first.org/data/v1/epss?cve=CVE-2023-44271
epss 0.00148 https://api.first.org/data/v1/epss?cve=CVE-2023-44271
epss 0.00148 https://api.first.org/data/v1/epss?cve=CVE-2023-44271
epss 0.00148 https://api.first.org/data/v1/epss?cve=CVE-2023-44271
epss 0.00148 https://api.first.org/data/v1/epss?cve=CVE-2023-44271
epss 0.00148 https://api.first.org/data/v1/epss?cve=CVE-2023-44271
epss 0.00148 https://api.first.org/data/v1/epss?cve=CVE-2023-44271
epss 0.00148 https://api.first.org/data/v1/epss?cve=CVE-2023-44271
epss 0.00148 https://api.first.org/data/v1/epss?cve=CVE-2023-44271
epss 0.00148 https://api.first.org/data/v1/epss?cve=CVE-2023-44271
epss 0.00148 https://api.first.org/data/v1/epss?cve=CVE-2023-44271
epss 0.00148 https://api.first.org/data/v1/epss?cve=CVE-2023-44271
epss 0.00148 https://api.first.org/data/v1/epss?cve=CVE-2023-44271
epss 0.00148 https://api.first.org/data/v1/epss?cve=CVE-2023-44271
epss 0.00568 https://api.first.org/data/v1/epss?cve=CVE-2023-44271
epss 0.00568 https://api.first.org/data/v1/epss?cve=CVE-2023-44271
epss 0.00568 https://api.first.org/data/v1/epss?cve=CVE-2023-44271
epss 0.00568 https://api.first.org/data/v1/epss?cve=CVE-2023-44271
epss 0.00568 https://api.first.org/data/v1/epss?cve=CVE-2023-44271
epss 0.00568 https://api.first.org/data/v1/epss?cve=CVE-2023-44271
epss 0.00568 https://api.first.org/data/v1/epss?cve=CVE-2023-44271
epss 0.00568 https://api.first.org/data/v1/epss?cve=CVE-2023-44271
epss 0.00568 https://api.first.org/data/v1/epss?cve=CVE-2023-44271
epss 0.00568 https://api.first.org/data/v1/epss?cve=CVE-2023-44271
epss 0.00568 https://api.first.org/data/v1/epss?cve=CVE-2023-44271
epss 0.00568 https://api.first.org/data/v1/epss?cve=CVE-2023-44271
epss 0.00568 https://api.first.org/data/v1/epss?cve=CVE-2023-44271
epss 0.01918 https://api.first.org/data/v1/epss?cve=CVE-2023-44271
cvssv3.1 7.5 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-8ghj-p4vj-mr35
cvssv3.1 7.5 https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2023-227.yaml
generic_textual HIGH https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2023-227.yaml
cvssv3.1 6.7 https://github.com/python-pillow/Pillow
generic_textual MODERATE https://github.com/python-pillow/Pillow
cvssv3.1 7.5 https://github.com/python-pillow/Pillow/commit/1fe1bb49c452b0318cad12ea9d97c3bef188e9a7
generic_textual HIGH https://github.com/python-pillow/Pillow/commit/1fe1bb49c452b0318cad12ea9d97c3bef188e9a7
cvssv3.1 7.5 https://github.com/python-pillow/Pillow/pull/7244
generic_textual HIGH https://github.com/python-pillow/Pillow/pull/7244
cvssv3.1 7.5 https://lists.debian.org/debian-lts-announce/2024/03/msg00021.html
generic_textual HIGH https://lists.debian.org/debian-lts-announce/2024/03/msg00021.html
cvssv3.1 7.5 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N2JOEDUJDQLCUII2LQYZYSM7RJL2I3P4
generic_textual HIGH https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N2JOEDUJDQLCUII2LQYZYSM7RJL2I3P4
cvssv3 7.5 https://nvd.nist.gov/vuln/detail/CVE-2023-44271
cvssv3.1 7.5 https://nvd.nist.gov/vuln/detail/CVE-2023-44271
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-44271.json
https://api.first.org/data/v1/epss?cve=CVE-2023-44271
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-44271
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-50447
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-28219
https://devhub.checkmarx.com/cve-details/CVE-2023-44271/
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2023-227.yaml
https://github.com/python-pillow/Pillow
https://github.com/python-pillow/Pillow/commit/1fe1bb49c452b0318cad12ea9d97c3bef188e9a7
https://github.com/python-pillow/Pillow/pull/7244
https://lists.debian.org/debian-lts-announce/2024/03/msg00021.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N2JOEDUJDQLCUII2LQYZYSM7RJL2I3P4
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N2JOEDUJDQLCUII2LQYZYSM7RJL2I3P4/
2247820 https://bugzilla.redhat.com/show_bug.cgi?id=2247820
cpe:2.3:a:python:pillow:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:python:pillow:*:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*
CVE-2023-44271 https://devhub.checkmarx.com/cve-details/CVE-2023-44271
CVE-2023-44271 https://nvd.nist.gov/vuln/detail/CVE-2023-44271
GHSA-8ghj-p4vj-mr35 https://github.com/advisories/GHSA-8ghj-p4vj-mr35
GLSA-202405-12 https://security.gentoo.org/glsa/202405-12
RHSA-2024:0345 https://access.redhat.com/errata/RHSA-2024:0345
RHSA-2024:1057 https://access.redhat.com/errata/RHSA-2024:1057
RHSA-2024:3005 https://access.redhat.com/errata/RHSA-2024:3005
USN-6618-1 https://usn.ubuntu.com/6618-1/
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N Found at https://access.redhat.com/errata/RHSA-2024:1057
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-06-12T19:57:21Z/ Found at https://access.redhat.com/errata/RHSA-2024:1057
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-44271.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2023-227.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H Found at https://github.com/python-pillow/Pillow
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/python-pillow/Pillow/commit/1fe1bb49c452b0318cad12ea9d97c3bef188e9a7
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/python-pillow/Pillow/pull/7244
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://lists.debian.org/debian-lts-announce/2024/03/msg00021.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N2JOEDUJDQLCUII2LQYZYSM7RJL2I3P4
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2023-44271
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2023-44271
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.29882
EPSS Score 0.00065
Published At Nov. 1, 2024, midnight
Date Actor Action Source VulnerableCode Version
There are no relevant records.