#VU85068 Resource exhaustion in LibTIFF


Published: 2024-01-08

Vulnerability identifier: #VU85068

Vulnerability risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-6277

CWE-ID: CWE-400

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
LibTIFF
Universal components / Libraries / Libraries used by multiple products

Vendor: LibTIFF

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources within the TIFFOpen() API. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

LibTIFF: All versions

External links
http://bugzilla.redhat.com/show_bug.cgi?id=2251311
http://gitlab.com/libtiff/libtiff/-/issues/614
http://gitlab.com/libtiff/libtiff/-/merge_requests/545
http://gitlab.com/libtiff/libtiff/-/commit/d6bbe53a96b031ab8b53d20241825ddf9e8bf8f1
http://gitlab.com/libtiff/libtiff/-/commit/264a28eff71cf0038ba7b235238512fa594fa42f
http://gitlab.com/libtiff/libtiff/-/commit/abb4476fd2be87fc8ded3078e019f22f84ee0e8c

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Ubuntu update for tiff
Ubuntu update for tiff
Amazon Linux AMI update for libtiff
Fedora 39 update for tkimg
Fedora 38 update for tkimg
Denial of service in libtiff
openEuler update for libtiff