Homepage
About Snyk

Resource Exhaustion Affecting tiff package, versions <4.6.0-r1

Severity

 Recommended
0.0
medium
0
10

Snyk's Security Team recommends NVD's CVSS assessment

    Threat Intelligence

    EPSS
    0.08% (36th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-CHAINGUARDLATEST-TIFF-6114725
  • published 11 Dec 2023
  • disclosed 24 Nov 2023
Report a new vulnerability Found a mistake?

Introduced: 24 Nov 2023

CVE-2023-6277 Open this link in a new tab
CWE-400 Open this link in a new tab

How to fix?

Upgrade Chainguard tiff to version 4.6.0-r1 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream tiff package and not the tiff package as distributed by Chainguard. See How to fix? for Chainguard relevant fixed versions and status.

An out-of-memory flaw was found in libtiff. Passing a crafted tiff file to TIFFOpen() API may allow a remote attacker to cause a denial of service via a craft input with size smaller than 379 KB.

References

CVSS Scores

version 3.1
Expand this section

NVD

Recommended
6.5 medium
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    Low
  • Privileges Required (PR)
    None
  • User Interaction (UI)
    Required
  • Scope (S)
    Unchanged
  • Confidentiality (C)
    None
  • Integrity (I)
    None
  • Availability (A)
    High
Expand this section

Red Hat

6.5 medium