GitHub Advisory DatabaseGHSA-VJ42-XQ3R-HR3ROut-of-bounds reads in Pillow
5.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:N/I:N/A:P
0.001 Low
EPSS
Percentile
40.5%
In libImaging/Jpeg2KDecode.c in Pillow before 7.1.0, there are multiple out-of-bounds reads via a crafted JP2 file.
References
github.com/advisories/GHSA-vj42-xq3r-hr3r
github.com/python-pillow/Pillow/blob/master/docs/releasenotes/7.1.0.rst#security
github.com/python-pillow/Pillow/commit/ff60894d697d1992147b791101ad53a8bf1352e4
github.com/python-pillow/Pillow/commits/master/src/libImaging/
github.com/python-pillow/Pillow/pull/4505
github.com/python-pillow/Pillow/pull/4538
lists.fedoraproject.org/archives/list/[email protected]/message/BEBCPE4F2VHTIT6EZA2YZQZLPVDEBJGD/
lists.fedoraproject.org/archives/list/[email protected]/message/HOKHNWV2VS5GESY7IBD237E7C6T3I427/
nvd.nist.gov/vuln/detail/CVE-2020-10994
pillow.readthedocs.io/en/stable/releasenotes/
pillow.readthedocs.io/en/stable/releasenotes/7.1.0.html
snyk.io/vuln/SNYK-PYTHON-PILLOW-574575
usn.ubuntu.com/4430-1/
usn.ubuntu.com/4430-2/
Related
5.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:N/I:N/A:P
0.001 Low
EPSS
Percentile
40.5%