Skip to main content
Version: latest

CVE-2023-52356

CVE Details

Visit the official vulnerability details page for CVE-2023-52356 to learn more.

Initial Publication

10/25/2024

Last Update

12/16/2024

Third Party Dependency

tiff

NIST CVE Summary

A segment fault (SEGV) flaw was found in libtiff that could be triggered by passing a crafted tiff file to the TIFFReadRGBATileExt() API. This flaw allows a remote attacker to cause a heap-buffer overflow, leading to a denial of service.

CVE Severity

7.5

Our Official Summary

This is a vulnerability in libtiff that can be exploited by a remote attacker to cause a heap-buffer overflow and denial-of-service. The vulnerability is caused by a segment fault (SEGV) flaw that can be triggered when a crafted TIFF file is passed to the TIFFReadRGBATileExt() API.

The risk of exploitation of this vulnerability for our products is low as these containers canot be modified without privileged access and running arbitrary code. Containers have security controls in place to prevent these actions. We will wait for an upstream fix and then upgrade these components.

Status

Ongoing

Affected Products & Versions

VersionPalette EnterprisePalette Enterprise AirgapVerteXVerteX Airgap
4.5.15⚠️ Impacted⚠️ Impacted✅ No Impact✅ No Impact
4.5.11⚠️ Impacted⚠️ Impacted✅ No Impact✅ No Impact
4.5.10⚠️ Impacted⚠️ Impacted✅ No Impact✅ No Impact
4.5.8⚠️ Impacted⚠️ Impacted✅ No Impact✅ No Impact
4.5.5⚠️ Impacted⚠️ Impacted✅ No Impact✅ No Impact
4.5.4⚠️ Impacted⚠️ Impacted✅ No Impact✅ No Impact
4.4.20⚠️ Impacted⚠️ Impacted✅ No Impact✅ No Impact

Revision History

DateRevision
12/16/2024Impacted versions changed from 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10, 4.5.11 to 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10, 4.5.11, 4.5.15
11/28/2024Official summary revised: This is a vulnerability in libtiff that can be exploited by a remote attacker to cause a heap-buffer overflow and denial-of-service. The vulnerability is caused by a segment fault (SEGV) flaw that can be triggered when a crafted TIFF file is passed to the TIFFReadRGBATileExt() API. The risk of exploitation of this vulnerability for our products is low as these containers canot be modified without privileged access and running arbitrary code. Containers have security controls in place to prevent these actions. We will wait for an upstream fix and then upgrade these components.
11/15/2024Impacted versions changed from 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10 to 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10, 4.5.11
11/15/2024Impacted versions changed from 4.5.4, 4.5.5, 4.5.8, 4.4.20 to 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10
11/13/2024Impacted versions changed from 4.5.4, 4.5.5, 4.5.8 to 4.5.4, 4.5.5, 4.5.8, 4.4.20
11/10/2024Impacted versions changed from 4.5.4, 4.5.5 to 4.5.4, 4.5.5, 4.5.8
10/27/2024Impacted versions changed from 4.5.4 to 4.5.4, 4.5.5