CVE-2023-44271
Denial of Service vulnerability in pillow (PyPI)
What is CVE-2023-44271 About?
Pillow before version 10.0.0 is susceptible to a Denial of Service (DoS) vulnerability when processing long text arguments with truetype in ImageFont and ImageDraw. This flaw causes uncontrollable memory allocation, potentially crashing the service by exhausting system memory. The exploitation is relatively easy for an attacker who can provide excessively long text inputs.
Affected Software
- pillow
- <1fe1bb49c452b0318cad12ea9d97c3bef188e9a7
- <10.0.0
Technical Details
The Denial of Service vulnerability in Pillow (versions prior to 10.0.0) specifically affects the truetype functionality within ImageFont when used in conjunction with ImageDraw's textlength operation. When an attacker supplies an exceptionally long text argument to textlength, the internal processing related to truetype font rendering and measurement leads to uncontrolled memory allocation. The library attempts to allocate memory to process the extensive text input without adequate limits or checks. This excessive memory consumption can rapidly exhaust the available system memory, causing the Python process to crash or the entire system to become unstable, thereby leading to a Denial of Service.
What is the Impact of CVE-2023-44271?
Successful exploitation may allow attackers to cause a denial of service, rendering services or applications utilizing the vulnerable Pillow library unavailable to legitimate users.
What is the Exploitability of CVE-2023-44271?
Exploitation of this vulnerability is of low to medium complexity. An attacker needs to be able to provide arbitrarily long text input to an application that uses Pillow's ImageFont and ImageDraw components for truetype text rendering and measurement. No specific authentication or privilege requirements are mentioned, suggesting that any user capable of submitting text input to the application could potentially trigger the vulnerability. This could be a remote vulnerability if the text input is accepted over a network (e.g., in a web application processing user-submitted images or text for rendering). The primary prerequisite is the use of the truetype font features with textlength. The risk is heightened in applications that automatically process user-supplied text for imaging purposes without input length validation.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-44271?
About the Fix from Resolved Security
Available Upgrade Options
- pillow
- <10.0.0 → Upgrade to 10.0.0
- pillow
- <1fe1bb49c452b0318cad12ea9d97c3bef188e9a7 → Upgrade to 1fe1bb49c452b0318cad12ea9d97c3bef188e9a7
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N2JOEDUJDQLCUII2LQYZYSM7RJL2I3P4/
- https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2023-227.yaml
- https://devhub.checkmarx.com/cve-details/CVE-2023-44271/
- https://devhub.checkmarx.com/cve-details/CVE-2023-44271
- https://devhub.checkmarx.com/cve-details/CVE-2023-44271/
- https://osv.dev/vulnerability/GHSA-8ghj-p4vj-mr35
- https://github.com/python-pillow/Pillow
- https://nvd.nist.gov/vuln/detail/CVE-2023-44271
- https://github.com/python-pillow/Pillow/commit/1fe1bb49c452b0318cad12ea9d97c3bef188e9a7
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N2JOEDUJDQLCUII2LQYZYSM7RJL2I3P4
What are Similar Vulnerabilities to CVE-2023-44271?
Similar Vulnerabilities: CVE-2023-34104 , CVE-2023-32695 , CVE-2023-28867 , CVE-2021-34449 , CVE-2021-23343
