CVE-2023-6277

MEDIUM EPSS 76.1%

Published Nov 24, 20232y ago · Modified Jun 17, 20261w ago

6.5 CVSS 3.1

Medium

Published Nov 24, 2023 2y ago

Last Modified Jun 17, 2026 1w ago

Description

An out-of-memory flaw was found in libtiff. Passing a crafted tiff file to TIFFOpen() API may allow a remote attacker to cause a denial of service via a craft input with size smaller than 379 KB.

CVSS Details

Base Score

6.5

Exploitability

2.8

Impact

3.6

Vector string

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Attack Vector Network

Attack Complexity Low

Privileges Required None

User Interaction Required

Scope Unchanged

Confidentiality None

Integrity None

Availability High

Threat Intelligence

EPSS Exploit Probability

76.1% percentile

Exploit & Patch Status

Public Exploit Known

Patch Available

Weaknesses 1

CWE-400 Uncontrolled Resource Consumption Resource Mgmt

Affected Products 6

Vendor	Product	Version	Range
libtiff	libtiff	*	any
redhat	enterprise_linux	6.0	any
redhat	enterprise_linux	7.0	any
redhat	enterprise_linux	8.0	any
redhat	enterprise_linux	9.0	any
fedoraproject	fedora	38	any

References 23

seclists.org http://seclists.org/fulldisclosure/2024/Jul/16
seclists.org http://seclists.org/fulldisclosure/2024/Jul/17
seclists.org http://seclists.org/fulldisclosure/2024/Jul/18
seclists.org http://seclists.org/fulldisclosure/2024/Jul/19
seclists.org http://seclists.org/fulldisclosure/2024/Jul/20
seclists.org http://seclists.org/fulldisclosure/2024/Jul/21
seclists.org http://seclists.org/fulldisclosure/2024/Jul/22
seclists.org http://seclists.org/fulldisclosure/2024/Jul/23
access.redhat.com https://access.redhat.com/security/cve/CVE-2023-6277

Third Party Advisory
bugzilla.redhat.com https://bugzilla.redhat.com/show_bug.cgi?id=2251311

Issue TrackingPatchThird Party Advisory
gitlab.com https://gitlab.com/libtiff/libtiff/-/issues/614

ExploitIssue TrackingPatchVendor Advisory
gitlab.com https://gitlab.com/libtiff/libtiff/-/merge_requests/545

PatchVendor Advisory
lists.fedoraproject.org https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WJIN6DTSL3VODZUGWEUXLEL5DR53EZMV/
lists.fedoraproject.org https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y7ZGN2MZXJ6E57W3L4YBM3ZPAU3T7T5C/
security.netapp.com https://security.netapp.com/advisory/ntap-20240119-0002/
support.apple.com https://support.apple.com/kb/HT214116
support.apple.com https://support.apple.com/kb/HT214117
support.apple.com https://support.apple.com/kb/HT214118
support.apple.com https://support.apple.com/kb/HT214119
support.apple.com https://support.apple.com/kb/HT214120
support.apple.com https://support.apple.com/kb/HT214122
support.apple.com https://support.apple.com/kb/HT214123
support.apple.com https://support.apple.com/kb/HT214124

Remediation

bugzilla.redhat.com https://bugzilla.redhat.com/show_bug.cgi?id=2251311

Issue TrackingPatchThird Party Advisory
gitlab.com https://gitlab.com/libtiff/libtiff/-/issues/614

ExploitIssue TrackingPatchVendor Advisory
gitlab.com https://gitlab.com/libtiff/libtiff/-/merge_requests/545

PatchVendor Advisory