CVE-2023-29408

Public on 2023-08-02
Modified on 2024-05-16
Description
The TIFF decoder does not place a limit on the size of compressed tile data. A maliciously-crafted image can exploit this to cause a small image (both in terms of pixel width/height, and encoded size) to make the decoder decode large amounts of compressed data, consuming excessive memory and CPU.
Severity
Medium severity
Medium
See what this means
CVSS v3 Base Score
4.0
See breakdown

Affected Packages

Platform Package Release Date Advisory Status
Amazon Linux 2 - Core amazon-cloudwatch-agent Not Affected
Amazon Linux 2023 amazon-cloudwatch-agent Not Affected
Amazon Linux 2 - Docker Extra amazon-ecr-credential-helper Not Affected
Amazon Linux 2023 amazon-ecr-credential-helper Not Affected
Amazon Linux 1 amazon-ssm-agent Not Affected
Amazon Linux 2 - Core amazon-ssm-agent Not Affected
Amazon Linux 2023 amazon-ssm-agent Not Affected
Amazon Linux 2 - Core cni-plugins Not Affected
Amazon Linux 2023 cni-plugins Not Affected
Amazon Linux 1 containerd Not Affected
Amazon Linux 2 - Docker Extra containerd Not Affected
Amazon Linux 2023 containerd Not Affected
Amazon Linux 2 - Core cri-tools Not Affected
Amazon Linux 1 docker Not Affected
Amazon Linux 2 - Docker Extra docker Not Affected
Amazon Linux 2023 docker Not Affected
Amazon Linux 1 ecs-init Not Affected
Amazon Linux 2 - Ecs Extra ecs-init Not Affected
Amazon Linux 2023 ecs-init Not Affected
Amazon Linux 1 golang Not Affected
Amazon Linux 2 - Core golang Not Affected
Amazon Linux 2023 golang Not Affected
Amazon Linux 1 golist Not Affected
Amazon Linux 2 - Core golist Not Affected
Amazon Linux 2023 lynis Not Affected
Amazon Linux 2 - Core nerdctl Not Affected
Amazon Linux 2023 nerdctl Not Affected
Amazon Linux 2 - Docker Extra oci-add-hooks Not Affected
Amazon Linux 2023 oci-add-hooks Not Affected
Amazon Linux 2 - Core rclone Not Affected
Amazon Linux 1 runc Not Affected
Amazon Linux 2 - Docker Extra runc Not Affected
Amazon Linux 2023 runc Not Affected

CVSS Scores

Score Type Score Vector
Amazon Linux CVSSv3 4.0 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
NVD CVSSv3 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

References

FAQs regarding Amazon Linux ALAS/CVE Severity Red Hat: CVE-2023-29408 Mitre: CVE-2023-29408