{
  "threat_severity" : "Moderate",
  "public_date" : "2023-08-02T00:00:00Z",
  "bugzilla" : {
    "description" : "golang.org/x/image/tiff: TIFF decoder does not place a limit on the size of compressed tile data",
    "id" : "2228742",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2228742"
  },
  "cvss3" : {
    "cvss3_base_score" : "6.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
    "status" : "draft"
  },
  "cwe" : "CWE-770",
  "details" : [ "The TIFF decoder does not place a limit on the size of compressed tile data. A maliciously-crafted image can exploit this to cause a small image (both in terms of pixel width/height, and encoded size) to make the decoder decode large amounts of compressed data, consuming excessive memory and CPU.", "A flaw was found in the Golang tiff package, where it is vulnerable to a denial of service caused by not limiting the size of compressed tile data. By persuading a victim to open a specially crafted image file, a remote attacker can cause excessive memory and CPU consumption in decoding, resulting in a denial of service condition." ],
  "package_state" : [ {
    "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2",
    "fix_state" : "Will not fix",
    "package_name" : "acm-cluster-templates-operator-container",
    "cpe" : "cpe:/a:redhat:acm:2"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-29408\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-29408\nhttps://go.dev/cl/514897\nhttps://go.dev/issue/61582\nhttps://pkg.go.dev/vuln/GO-2023-1989" ],
  "name" : "CVE-2023-29408",
  "csaw" : false
}