CVE-2023-36308: 
Wolfi vulnerability analysis and mitigation

CVE-2023-36308 affects disintegration Imaging 1.6.2, a Go image processing library. The vulnerability was discovered in July 2023 and allows attackers to cause a panic through an integer index out of range during a Grayscale call when processing a crafted TIFF file via the scan function of scanner.go (GitHub Issue).

The vulnerability occurs in the scan function of scanner.go at line 242, where the statement c := s.palette[img.Pix[i]] attempts to access an out-of-bounds index. When processing certain maliciously crafted TIFF images, the code attempts to access index 70 while the palette length is only 65, resulting in a panic. The vulnerability has been assigned a CVSS v3.1 base score of 5.5 MEDIUM (Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) (NVD).

The vulnerability results in a denial of service through application panic when processing specially crafted TIFF files. However, as noted in the CVE description, it is unclear whether there are common use cases in which this panic could have any security consequence beyond denial of service (NVD).

The issue has been addressed in some downstream packages by switching to maintained forks of the imaging library. For example, Fedora has patched their kitty package (version 0.31.0-2.fc39) by switching to a maintained fork of imaging that fixes this vulnerability (Fedora Update).