CVE-2023-29408 — Excessive resource consumption in golang.org/x/image/tiff

Description

The TIFF decoder does not place a limit on the size of compressed tile data. A maliciously-crafted image can exploit this to cause a small image (both in terms of pixel width/height, and encoded size) to make the decoder decode large amounts of compressed data, consuming excessive memory and CPU.

How to fix CVE-2023-29408

To remediate CVE-2023-29408, upgrade the affected package to a fixed version below.

—no fix listed
—upgrade to 0.10.0 or later
—upgrade to 0.10.0 or later

Is CVE-2023-29408 being exploited?

Low — EPSS is 0.5%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

from 0
from 0, < 0.10.0
from 0, < 0.10.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

References (9)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-29408
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2023-29408
WEBgo.dev/cl/514897
WEBgo.dev/issue/61582
WEB