CVE-2013-1960

Heap-based buffer overflow in the t2p_process_jpeg_strip function in tiff2pdf in libtiff 4.0.3 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted TIFF image file.

Published: 2013-07-03 Last update: 2026-04-29 Assigner: [email protected] Source: [email protected]
NVD Status:ModifiedCVE State: published
View at NVD, CVE.org, EUVD

CVE-2013-1960 is rated High Risk (66.5/100): CVSS Critical severity, with medium exploitation likelihood (EPSS 4.53%). High exploitation likelihood—assess exposure and prioritize remediation.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Exploit prediction scoring system (EPSS) score for CVE-2013-1960

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2025-10-19 6.28% 4.53% -1.75%
2 2025-03-30 9.47% 6.28% -3.19%
3 2025-03-29 9.47%

Full EPSS history (10 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2013-1960

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
9.3 2.0 HIGH
AV:N/AC:M/Au:N/C:C/I:C/A:C Click to expand
Access vector (AV:N)
Can be exploited remotely over network reachability.
Access complexity (AC:M)
Exploitation needs some favorable conditions, but not exceptional ones.
Authentication (AU:N)
No authentication is required.
Confidentiality impact (C:C)
Complete confidentiality impact.
Integrity impact (I:C)
Complete integrity impact.
Availability impact (A:C)
Complete availability impact.
 8.6 10.0 [email protected]

Weakness enumeration for CVE-2013-1960

OS Trackers for CVE-2013-1960

vendor priority summary link
debian not yet assigned CVE-2013-1960 not yet assigned priority: Debian including 1 source packages (tiff), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5. https://security-tracker.debian.org/tracker/CVE-2013-1960
gentoo normal CVE-2013-1960: 1 GLSA(s) (201402-21), 1 atom(s) (media-libs/tiff); latest impact normal. https://bugs.gentoo.org/buglist.cgi?quicksearch=CVE-2013-1960
redhat medium https://access.redhat.com/security/cve/CVE-2013-1960
suse critical CVE-2013-1960 severity critical: SUSE including 309 source package names (amazon/suse-sles-15-sp1-chost-byos-v20210304-hvm-ssd-x86_64, amazon/suse-sles-15-sp1-chost-byos-v20220127-hvm-ssd-x86_64, …), 389 product×package rows across 67 product lines (HPE Helion OpenStack 8, SUSE Linux Enterprise Desktop 11 SP2, … (67 product lines)): Known Affected 231, Fixed 113, Known Not Affected 45. https://www.suse.com/security/cve/CVE-2013-1960/
ubuntu medium CVE-2013-1960 medium priority: Ubuntu including 2 source packages (tiff, tiff3), 18 status rows across 9 suites (hardy, lucid, oneiric, precise, quantal, raring, saucy, trusty, upstream): released 6, DNE 5, ignored 5, needed 2. https://ubuntu.com/security/CVE-2013-1960

Affected software / configurations for CVE-2013-1960

Vendor Product Version Raw CPE
remotesensing libtiff <= 4.0.3 cpe:2.3:a:remotesensing:libtiff:*:*:*:*:*:*:*:*
remotesensing libtiff 3.4 cpe:2.3:a:remotesensing:libtiff:3.4:*:*:*:*:*:*:*
remotesensing libtiff 3.4 cpe:2.3:a:remotesensing:libtiff:3.4:beta18:*:*:*:*:*:*
remotesensing libtiff 3.4 cpe:2.3:a:remotesensing:libtiff:3.4:beta24:*:*:*:*:*:*
remotesensing libtiff 3.4 cpe:2.3:a:remotesensing:libtiff:3.4:beta28:*:*:*:*:*:*
remotesensing libtiff 3.4 cpe:2.3:a:remotesensing:libtiff:3.4:beta29:*:*:*:*:*:*
remotesensing libtiff 3.4 cpe:2.3:a:remotesensing:libtiff:3.4:beta31:*:*:*:*:*:*
remotesensing libtiff 3.4 cpe:2.3:a:remotesensing:libtiff:3.4:beta32:*:*:*:*:*:*
remotesensing libtiff 3.4 cpe:2.3:a:remotesensing:libtiff:3.4:beta34:*:*:*:*:*:*
remotesensing libtiff 3.4 cpe:2.3:a:remotesensing:libtiff:3.4:beta35:*:*:*:*:*:*
remotesensing libtiff 3.4 cpe:2.3:a:remotesensing:libtiff:3.4:beta36:*:*:*:*:*:*
remotesensing libtiff 3.4 cpe:2.3:a:remotesensing:libtiff:3.4:beta37:*:*:*:*:*:*
remotesensing libtiff 3.5.1 cpe:2.3:a:remotesensing:libtiff:3.5.1:*:*:*:*:*:*:*
remotesensing libtiff 3.5.2 cpe:2.3:a:remotesensing:libtiff:3.5.2:*:*:*:*:*:*:*
remotesensing libtiff 3.5.3 cpe:2.3:a:remotesensing:libtiff:3.5.3:*:*:*:*:*:*:*
remotesensing libtiff 3.5.4 cpe:2.3:a:remotesensing:libtiff:3.5.4:*:*:*:*:*:*:*
remotesensing libtiff 3.5.5 cpe:2.3:a:remotesensing:libtiff:3.5.5:*:*:*:*:*:*:*
remotesensing libtiff 3.5.6 cpe:2.3:a:remotesensing:libtiff:3.5.6:*:*:*:*:*:*:*
remotesensing libtiff 3.5.6 cpe:2.3:a:remotesensing:libtiff:3.5.6:beta:*:*:*:*:*:*
remotesensing libtiff 3.5.7 cpe:2.3:a:remotesensing:libtiff:3.5.7:*:*:*:*:*:*:*
remotesensing libtiff 3.5.7 cpe:2.3:a:remotesensing:libtiff:3.5.7:alpha:*:*:*:*:*:*
remotesensing libtiff 3.5.7 cpe:2.3:a:remotesensing:libtiff:3.5.7:alpha2:*:*:*:*:*:*
remotesensing libtiff 3.5.7 cpe:2.3:a:remotesensing:libtiff:3.5.7:alpha3:*:*:*:*:*:*
remotesensing libtiff 3.5.7 cpe:2.3:a:remotesensing:libtiff:3.5.7:alpha4:*:*:*:*:*:*
remotesensing libtiff 3.5.7 cpe:2.3:a:remotesensing:libtiff:3.5.7:beta:*:*:*:*:*:*
remotesensing libtiff 3.6.0 cpe:2.3:a:remotesensing:libtiff:3.6.0:*:*:*:*:*:*:*
remotesensing libtiff 3.6.0 cpe:2.3:a:remotesensing:libtiff:3.6.0:beta:*:*:*:*:*:*
remotesensing libtiff 3.6.0 cpe:2.3:a:remotesensing:libtiff:3.6.0:beta2:*:*:*:*:*:*
remotesensing libtiff 3.6.1 cpe:2.3:a:remotesensing:libtiff:3.6.1:*:*:*:*:*:*:*
remotesensing libtiff 3.7.0 cpe:2.3:a:remotesensing:libtiff:3.7.0:*:*:*:*:*:*:*
remotesensing libtiff 3.7.0 cpe:2.3:a:remotesensing:libtiff:3.7.0:alpha:*:*:*:*:*:*
remotesensing libtiff 3.7.0 cpe:2.3:a:remotesensing:libtiff:3.7.0:beta:*:*:*:*:*:*
remotesensing libtiff 3.7.0 cpe:2.3:a:remotesensing:libtiff:3.7.0:beta2:*:*:*:*:*:*
remotesensing libtiff 3.7.1 cpe:2.3:a:remotesensing:libtiff:3.7.1:*:*:*:*:*:*:*
remotesensing libtiff 3.7.2 cpe:2.3:a:remotesensing:libtiff:3.7.2:*:*:*:*:*:*:*
remotesensing libtiff 3.7.3 cpe:2.3:a:remotesensing:libtiff:3.7.3:*:*:*:*:*:*:*
remotesensing libtiff 3.7.4 cpe:2.3:a:remotesensing:libtiff:3.7.4:*:*:*:*:*:*:*
remotesensing libtiff 3.8.0 cpe:2.3:a:remotesensing:libtiff:3.8.0:*:*:*:*:*:*:*
remotesensing libtiff 3.8.1 cpe:2.3:a:remotesensing:libtiff:3.8.1:*:*:*:*:*:*:*
remotesensing libtiff 3.8.2 cpe:2.3:a:remotesensing:libtiff:3.8.2:*:*:*:*:*:*:*
remotesensing libtiff 3.9.0 cpe:2.3:a:remotesensing:libtiff:3.9.0:*:*:*:*:*:*:*
remotesensing libtiff 3.9.0 cpe:2.3:a:remotesensing:libtiff:3.9.0:beta:*:*:*:*:*:*
remotesensing libtiff 3.9.1 cpe:2.3:a:remotesensing:libtiff:3.9.1:*:*:*:*:*:*:*
remotesensing libtiff 3.9.2 cpe:2.3:a:remotesensing:libtiff:3.9.2:*:*:*:*:*:*:*
remotesensing libtiff 3.9.3 cpe:2.3:a:remotesensing:libtiff:3.9.3:*:*:*:*:*:*:*
remotesensing libtiff 3.9.4 cpe:2.3:a:remotesensing:libtiff:3.9.4:*:*:*:*:*:*:*
remotesensing libtiff 4.0.0 cpe:2.3:a:remotesensing:libtiff:4.0.0:*:*:*:*:*:*:*
remotesensing libtiff 4.0.1 cpe:2.3:a:remotesensing:libtiff:4.0.1:*:*:*:*:*:*:*
remotesensing libtiff 4.0.2 cpe:2.3:a:remotesensing:libtiff:4.0.2:*:*:*:*:*:*:*

References for CVE-2013-1960

cvelogic Threat Intelligence