{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-29408", "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "state": "PUBLISHED", "assignerShortName": "Go", "dateReserved": "2023-04-05T19:36:35.043Z", "datePublished": "2023-08-02T19:52:48.613Z", "dateUpdated": "2025-02-13T16:49:15.755Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "shortName": "Go", "dateUpdated": "2023-11-03T20:07:04.860Z"}, "title": "Excessive resource consumption in golang.org/x/image/tiff", "descriptions": [{"lang": "en", "value": "The TIFF decoder does not place a limit on the size of compressed tile data. A maliciously-crafted image can exploit this to cause a small image (both in terms of pixel width/height, and encoded size) to make the decoder decode large amounts of compressed data, consuming excessive memory and CPU."}], "affected": [{"vendor": "golang.org/x/image", "product": "golang.org/x/image/tiff", "collectionURL": "https://pkg.go.dev", "packageName": "golang.org/x/image/tiff", "versions": [{"version": "0", "lessThan": "0.10.0", "status": "affected", "versionType": "semver"}], "programRoutines": [{"name": "newDecoder"}, {"name": "Decode"}, {"name": "DecodeConfig"}], "defaultStatus": "unaffected"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-770: Allocation of Resources Without Limits or Throttling"}]}], "references": [{"url": "https://go.dev/issue/61582"}, {"url": "https://go.dev/cl/514897"}, {"url": "https://pkg.go.dev/vuln/GO-2023-1989"}, {"url": "https://security.netapp.com/advisory/ntap-20230831-0009/"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KO54NBDUJXKAZNGCFOEYL2LKK2RQP6K6/"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XWH6Q7NVM4MV3GWFEU4PA67AWZHVFJQ2/"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XZTEP6JYILRBNDTNWTEQ5D4QUUVQBESK/"}], "credits": [{"lang": "en", "value": "Philippe Antoine (Catena cyber)"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T14:07:45.865Z"}, "title": "CVE Program Container", "references": [{"url": "https://go.dev/issue/61582", "tags": ["x_transferred"]}, {"url": "https://go.dev/cl/514897", "tags": ["x_transferred"]}, {"url": "https://pkg.go.dev/vuln/GO-2023-1989", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20230831-0009/", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KO54NBDUJXKAZNGCFOEYL2LKK2RQP6K6/", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XWH6Q7NVM4MV3GWFEU4PA67AWZHVFJQ2/", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XZTEP6JYILRBNDTNWTEQ5D4QUUVQBESK/", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-10-17T18:46:10.965305Z", "id": "CVE-2023-29408", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-17T18:46:21.200Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://go.dev/issue/61582", "tags": ["x_transferred"]}, {"url": "https://go.dev/cl/514897", "tags": ["x_transferred"]}, {"url": "https://pkg.go.dev/vuln/GO-2023-1989", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20230831-0009/", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KO54NBDUJXKAZNGCFOEYL2LKK2RQP6K6/", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XWH6Q7NVM4MV3GWFEU4PA67AWZHVFJQ2/", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XZTEP6JYILRBNDTNWTEQ5D4QUUVQBESK/", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T14:07:45.865Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-29408", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-10-17T18:46:10.965305Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-17T18:46:15.987Z"}}], "cna": {"title": "Excessive resource consumption in golang.org/x/image/tiff", "credits": [{"lang": "en", "value": "Philippe Antoine (Catena cyber)"}], "affected": [{"vendor": "golang.org/x/image", "product": "golang.org/x/image/tiff", "versions": [{"status": "affected", "version": "0", "lessThan": "0.10.0", "versionType": "semver"}], "packageName": "golang.org/x/image/tiff", "collectionURL": "https://pkg.go.dev", "defaultStatus": "unaffected", "programRoutines": [{"name": "newDecoder"}, {"name": "Decode"}, {"name": "DecodeConfig"}]}], "references": [{"url": "https://go.dev/issue/61582"}, {"url": "https://go.dev/cl/514897"}, {"url": "https://pkg.go.dev/vuln/GO-2023-1989"}, {"url": "https://security.netapp.com/advisory/ntap-20230831-0009/"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KO54NBDUJXKAZNGCFOEYL2LKK2RQP6K6/"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XWH6Q7NVM4MV3GWFEU4PA67AWZHVFJQ2/"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XZTEP6JYILRBNDTNWTEQ5D4QUUVQBESK/"}], "descriptions": [{"lang": "en", "value": "The TIFF decoder does not place a limit on the size of compressed tile data. A maliciously-crafted image can exploit this to cause a small image (both in terms of pixel width/height, and encoded size) to make the decoder decode large amounts of compressed data, consuming excessive memory and CPU."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-770: Allocation of Resources Without Limits or Throttling"}]}], "providerMetadata": {"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "shortName": "Go", "dateUpdated": "2023-08-02T19:52:48.613Z"}}}, "cveMetadata": {"cveId": "CVE-2023-29408", "state": "PUBLISHED", "dateUpdated": "2024-10-17T18:46:21.200Z", "dateReserved": "2023-04-05T19:36:35.043Z", "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "datePublished": "2023-08-02T19:52:48.613Z", "assignerShortName": "Go"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:golang:image:*:*:*:*:*:go:*:*", "matchCriteriaId": "32C71B1D-8466-4F3A-8477-D31FDB285296", "versionEndExcluding": "0.10.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*", "matchCriteriaId": "E30D0E6F-4AE8-4284-8716-991DFA48CC5D", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*", "matchCriteriaId": "CC559B26-5DFC-4B7A-A27C-B77DE755DFF9", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The TIFF decoder does not place a limit on the size of compressed tile data. A maliciously-crafted image can exploit this to cause a small image (both in terms of pixel width/height, and encoded size) to make the decoder decode large amounts of compressed data, consuming excessive memory and CPU."}], "id": "CVE-2023-29408", "lastModified": "2024-11-21T07:57:00.170", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-08-02T20:15:11.857", "references": [{"source": "security@golang.org", "tags": ["Patch"], "url": "https://go.dev/cl/514897"}, {"source": "security@golang.org", "tags": ["Issue Tracking", "Patch", "Vendor Advisory"], "url": "https://go.dev/issue/61582"}, {"source": "security@golang.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KO54NBDUJXKAZNGCFOEYL2LKK2RQP6K6/"}, {"source": "security@golang.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XWH6Q7NVM4MV3GWFEU4PA67AWZHVFJQ2/"}, {"source": "security@golang.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XZTEP6JYILRBNDTNWTEQ5D4QUUVQBESK/"}, {"source": "security@golang.org", "tags": ["Issue Tracking", "Patch", "Vendor Advisory"], "url": "https://pkg.go.dev/vuln/GO-2023-1989"}, {"source": "security@golang.org", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20230831-0009/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://go.dev/cl/514897"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Patch", "Vendor Advisory"], "url": "https://go.dev/issue/61582"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KO54NBDUJXKAZNGCFOEYL2LKK2RQP6K6/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XWH6Q7NVM4MV3GWFEU4PA67AWZHVFJQ2/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XZTEP6JYILRBNDTNWTEQ5D4QUUVQBESK/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Patch", "Vendor Advisory"], "url": "https://pkg.go.dev/vuln/GO-2023-1989"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20230831-0009/"}], "sourceIdentifier": "security@golang.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-770"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "golang.org/x/image/tiff: TIFF decoder does not place a limit on the size of compressed tile data", "id": "2228742", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2228742"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-770", "details": ["The TIFF decoder does not place a limit on the size of compressed tile data. A maliciously-crafted image can exploit this to cause a small image (both in terms of pixel width/height, and encoded size) to make the decoder decode large amounts of compressed data, consuming excessive memory and CPU.", "A flaw was found in the Golang tiff package, where it is vulnerable to a denial of service caused by not limiting the size of compressed tile data. By persuading a victim to open a specially crafted image file, a remote attacker can cause excessive memory and CPU consumption in decoding, resulting in a denial of service condition."], "name": "CVE-2023-29408", "package_state": [{"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Will not fix", "package_name": "acm-cluster-templates-operator-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}], "public_date": "2023-08-02T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-29408\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-29408\nhttps://go.dev/cl/514897\nhttps://go.dev/issue/61582\nhttps://pkg.go.dev/vuln/GO-2023-1989"], "threat_severity": "Moderate", "upstream_fix": "golang.org/x/image/tiff 0.10.0"}