CVE-2022-41727

Published: Feb 28, 2023Modified: Nov 21, 2024

5.5

Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Exploitability: 1.8 / Impact: 3.6

Source: NVD

Description

An attacker can craft a malformed TIFF image which will consume a significant amount of memory when passed to DecodeConfig. This could lead to a denial of service.

Affected (4)

Products: Golang: Image, Tiff · Fedoraproject: Fedora

2 products

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Golang Image	Before 0.5.0
Golang Tiff	All versions

Configuration B

2 vulnerable

Vulnerable Software	Affected Versions
Fedoraproject Fedora	Version 37
Fedoraproject Fedora	Version 38

Related CWEs

CWE-770

Allocation of Resources Without Limits or Throttling

The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.

References (14)

https://go.dev/cl/468195

Source: security@golang.org

Patch

https://go.dev/issue/58003

Source: security@golang.org

Issue Tracking

https://groups.google.com/g/golang-announce/c/ag-FiyjlD5o

Source: security@golang.org

Mailing ListVendor Advisory

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KO54NBDUJXKAZNGCFOEYL2LKK2RQP6K6/

Source: security@golang.org

Mailing ListThird Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XWH6Q7NVM4MV3GWFEU4PA67AWZHVFJQ2/

Source: security@golang.org

Mailing ListThird Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XZTEP6JYILRBNDTNWTEQ5D4QUUVQBESK/

Source: security@golang.org

https://pkg.go.dev/vuln/GO-2023-1572

Source: security@golang.org

Vendor Advisory

https://go.dev/cl/468195