Miggo Logo
Miggo Vulnerability Database
CVE-2023-44271

CVE-2023-44271: Pillow Denial of Service vulnerability

7.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2023-44271
GHSA ID
GHSA-8ghj-p4vj-mr35
EPSS Score
0.34157%
CWE
CWE-400
Published
11/3/2023
Updated
10/14/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
pillowpip>= 0, < 10.0.010.0.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from text processing functions in ImageFont.py that lacked input validation. The GitHub commit adds _string_length_check() to these specific methods, and test cases verify they previously accepted 1M+ character inputs. The CWE-400/CWE-770 mapping confirms this is a resource consumption issue. The patch directly modifies these functions to add length validation, making them clearly identified as the vulnerable points.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n issu* w*s *is*ov*r** in Pillow ***or* **.*.*. It is * **ni*l o* S*rvi** t**t un*ontroll**ly *llo**t*s m*mory to pro**ss * *iv*n t*sk, pot*nti*lly **usin* * s*rvi** to *r*s* *y **vin* it run out o* m*mory. T*is o**urs *or tru*typ* in Im****ont w**n

Reasoning

T** vuln*r**ility st*ms *rom t*xt pro**ssin* *un*tions in Im****ont.py t**t l**k** input v*li**tion. T** *it*u* *ommit ***s _strin*_l*n*t*_****k() to t**s* sp**i*i* m*t*o*s, *n* t*st **s*s v*ri*y t**y pr*viously ****pt** *M+ ***r**t*r inputs. T** *W*