Skip to main content

Allocation of Resources Without Limits or Throttling

CVE-2023-29408

Severity Medium
Score 6.5/10

Summary

The TIFF decoder does not place a limit on the size of compressed "tile" data. A maliciously-crafted image can exploit this to cause a small image (both in terms of pixel width/height, and encoded size) to make the decoder decode large amounts of compressed data, consuming excessive memory and CPU. This vulnerability affects golang.org/x/image package versions prior to 0.10.0. This has the same fix as CVE-2023-29407

  • LOW
  • NETWORK
  • NONE
  • UNCHANGED
  • REQUIRED
  • NONE
  • NONE
  • HIGH

CWE-770 - Allocation of Resources Without Limits or Throttling

The software allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.

Advisory Timeline

  • Published