CVE-2023-36308 - Vulnerability Details - OpenCVE

ReportizFlow

disintegration Imaging 1.6.2 allows attackers to cause a panic (because of an integer index out of range during a Grayscale call) via a crafted TIFF file to the scan function of scanner.go. NOTE: it is unclear whether there are common use cases in which this panic could have any security consequence

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation poc

Automatable no

Technical Impact partial

Vendors	Products
Disintegration	Imaging

Configuration 1 [-]

cpe:2.3:a:disintegration:imaging:1.6.2:*:*:*:*:go:*:*

No data.

References

Link	Providers
https://github.com/disintegration/imaging/issues/165
https://github.com/disintegration/imaging/releases/tag/v1.6.2
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3GX2SYGRCNFUAGELLDOBIERCSCYSGKFY/
https://lists.fedoraproject.org/archives/list/[email protected]/message/3GX2SYGRCNFUAGELLDOBIERCSCYSGKFY/

History

Tue, 04 Nov 2025 18:30:00 +0000

Type	Values Removed	Values Added
References		https://lists.fedoraproject.org/archives/list/[email protected]/message/3GX2SYGRCNFUAGELLDOBIERCSCYSGKFY/

Tue, 04 Nov 2025 18:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 14 Jul 2025 13:45:00 +0000

Type	Values Removed	Values Added
Metrics	epss `{'score': 0.0004}`	epss `{'score': 0.0003}`

Sat, 12 Jul 2025 13:45:00 +0000

Type	Values Removed	Values Added
Metrics	epss `{'score': 0.00025}`	epss `{'score': 0.0004}`

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2023-09-05T00:00:00.000Z

Updated: 2025-11-04T17:12:35.101Z

Reserved: 2023-06-21T00:00:00.000Z

Link: CVE-2023-36308

Vulnrichment

Updated: 2025-11-04T17:12:35.101Z

NVD

Status : Modified

Published: 2023-09-05T04:15:08.703

Modified: 2025-11-04T18:15:40.753

Link: CVE-2023-36308

Redhat

No data.

{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2023-36308", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2025-11-04T17:12:35.101Z", "dateReserved": "2023-06-21T00:00:00.000Z", "datePublished": "2023-09-05T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-06-10T16:12:07.025Z"}, "descriptions": [{"lang": "en", "value": "disintegration Imaging 1.6.2 allows attackers to cause a panic (because of an integer index out of range during a Grayscale call) via a crafted TIFF file to the scan function of scanner.go. NOTE: it is unclear whether there are common use cases in which this panic could have any security consequence"}], "tags": ["disputed"], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/disintegration/imaging/releases/tag/v1.6.2"}, {"url": "https://github.com/disintegration/imaging/issues/165"}, {"name": "FEDORA-2024-25b47765c6", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3GX2SYGRCNFUAGELLDOBIERCSCYSGKFY/"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-06-05T20:29:22.475685Z", "id": "CVE-2023-36308", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-05T20:29:35.904Z"}}, {"title": "CVE Program Container", "references": [{"url": "https://github.com/disintegration/imaging/releases/tag/v1.6.2", "tags": ["x_transferred"]}, {"url": "https://github.com/disintegration/imaging/issues/165", "tags": ["x_transferred"]}, {"name": "FEDORA-2024-25b47765c6", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3GX2SYGRCNFUAGELLDOBIERCSCYSGKFY/"}, {"url": "https://lists.fedoraproject.org/archives/list/[email protected]/message/3GX2SYGRCNFUAGELLDOBIERCSCYSGKFY/"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-11-04T17:12:35.101Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/disintegration/imaging/releases/tag/v1.6.2", "tags": ["x_transferred"]}, {"url": "https://github.com/disintegration/imaging/issues/165", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3GX2SYGRCNFUAGELLDOBIERCSCYSGKFY/", "name": "FEDORA-2024-25b47765c6", "tags": ["vendor-advisory", "x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/[email protected]/message/3GX2SYGRCNFUAGELLDOBIERCSCYSGKFY/"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-11-04T17:12:35.101Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-36308", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-06-05T20:29:22.475685Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-05T20:29:29.588Z"}}], "cna": {"tags": ["disputed"], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://github.com/disintegration/imaging/releases/tag/v1.6.2"}, {"url": "https://github.com/disintegration/imaging/issues/165"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3GX2SYGRCNFUAGELLDOBIERCSCYSGKFY/", "name": "FEDORA-2024-25b47765c6", "tags": ["vendor-advisory"]}], "descriptions": [{"lang": "en", "value": "disintegration Imaging 1.6.2 allows attackers to cause a panic (because of an integer index out of range during a Grayscale call) via a crafted TIFF file to the scan function of scanner.go. NOTE: it is unclear whether there are common use cases in which this panic could have any security consequence"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-06-10T16:12:07.025Z"}}}, "cveMetadata": {"cveId": "CVE-2023-36308", "state": "PUBLISHED", "dateUpdated": "2025-11-04T17:12:35.101Z", "dateReserved": "2023-06-21T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2023-09-05T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:disintegration:imaging:1.6.2:*:*:*:*:go:*:*", "matchCriteriaId": "585534FE-4333-40AD-BA0E-17DCFEDD1AD0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [{"sourceIdentifier": "[email protected]", "tags": ["disputed"]}], "descriptions": [{"lang": "en", "value": "disintegration Imaging 1.6.2 allows attackers to cause a panic (because of an integer index out of range during a Grayscale call) via a crafted TIFF file to the scan function of scanner.go. NOTE: it is unclear whether there are common use cases in which this panic could have any security consequence"}, {"lang": "es", "value": "disintegration Imaging 1.6.2 permite a los atacantes causar un modo p\u00e1nico (debido a un \u00edndice entero fuera de rango durante una llamada Grayscale) a trav\u00e9s del archivo TIFF a la funci\u00f3n de escaneo de scanner.go. NOTA: no est\u00e1 claro si existen casos de uso comunes en los que este modo p\u00e1nico podr\u00eda tener alguna consecuencia de seguridad."}], "id": "CVE-2023-36308", "lastModified": "2025-11-04T18:15:40.753", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "[email protected]", "type": "Primary"}]}, "published": "2023-09-05T04:15:08.703", "references": [{"source": "[email protected]", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "url": "https://github.com/disintegration/imaging/issues/165"}, {"source": "[email protected]", "tags": ["Release Notes"], "url": "https://github.com/disintegration/imaging/releases/tag/v1.6.2"}, {"source": "[email protected]", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3GX2SYGRCNFUAGELLDOBIERCSCYSGKFY/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "url": "https://github.com/disintegration/imaging/issues/165"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes"], "url": "https://github.com/disintegration/imaging/releases/tag/v1.6.2"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3GX2SYGRCNFUAGELLDOBIERCSCYSGKFY/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/[email protected]/message/3GX2SYGRCNFUAGELLDOBIERCSCYSGKFY/"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-129"}], "source": "[email protected]", "type": "Primary"}]}