Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
openvasCopyright (C) 2020 Greenbone AGOPENVAS:1361412562311220192701
HistoryJan 23, 2020 - 12:00 a.m.

Huawei EulerOS: Security Advisory for python-pillow (EulerOS-SA-2019-2701)

2020-01-2300:00:00
Copyright (C) 2020 Greenbone AG
plugins.openvas.org
8

8.3 High

AI Score

Confidence

High

0.017 Low

EPSS

Percentile

87.8%

JSON

The remote host is missing an update for the Huawei EulerOS

# SPDX-FileCopyrightText: 2020 Greenbone AG
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-only

if(description)
{
  script_oid("1.3.6.1.4.1.25623.1.1.2.2019.2701");
  script_cve_id("CVE-2014-1932", "CVE-2014-1933", "CVE-2014-3007", "CVE-2014-3589", "CVE-2016-4009");
  script_tag(name:"creation_date", value:"2020-01-23 13:14:45 +0000 (Thu, 23 Jan 2020)");
  script_version("2024-02-05T14:36:56+0000");
  script_tag(name:"last_modification", value:"2024-02-05 14:36:56 +0000 (Mon, 05 Feb 2024)");
  script_tag(name:"cvss_base", value:"10.0");
  script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_tag(name:"severity_vector", value:"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_tag(name:"severity_origin", value:"NVD");
  script_tag(name:"severity_date", value:"2016-04-15 18:22:42 +0000 (Fri, 15 Apr 2016)");

  script_name("Huawei EulerOS: Security Advisory for python-pillow (EulerOS-SA-2019-2701)");
  script_category(ACT_GATHER_INFO);
  script_copyright("Copyright (C) 2020 Greenbone AG");
  script_family("Huawei EulerOS Local Security Checks");
  script_dependencies("gb_huawei_euleros_consolidation.nasl");
  script_mandatory_keys("ssh/login/euleros", "ssh/login/rpms", re:"ssh/login/release=EULEROS\-2\.0SP5");

  script_xref(name:"Advisory-ID", value:"EulerOS-SA-2019-2701");
  script_xref(name:"URL", value:"https://developer.huaweicloud.com/intl/en-us/euleros/securitydetail.html?secId=EulerOS-SA-2019-2701");

  script_tag(name:"summary", value:"The remote host is missing an update for the Huawei EulerOS 'python-pillow' package(s) announced via the EulerOS-SA-2019-2701 advisory.");

  script_tag(name:"vuldetect", value:"Checks if a vulnerable package version is present on the target host.");

  script_tag(name:"insight", value:"The (1) load_djpeg function in JpegImagePlugin.py, (2) Ghostscript function in EpsImagePlugin.py, (3) load function in IptcImagePlugin.py, and (4) _copy function in Image.py in Python Image Library (PIL) 1.1.7 and earlier and Pillow before 2.3.1 do not properly create temporary files, which allow local users to overwrite arbitrary files and obtain sensitive information via a symlink attack on the temporary file.(CVE-2014-1932)

The (1) JpegImagePlugin.py and (2) EpsImagePlugin.py scripts in Python Image Library (PIL) 1.1.7 and earlier and Pillow before 2.3.1 uses the names of temporary files on the command line, which makes it easier for local users to conduct symlink attacks by listing the processes.(CVE-2014-1933)

Python Image Library (PIL) 1.1.7 and earlier and Pillow 2.3 might allow remote attackers to execute arbitrary commands via shell metacharacters in unspecified vectors related to CVE-2014-1932, possibly JpegImagePlugin.py.(CVE-2014-3007)

PIL/IcnsImagePlugin.py in Python Imaging Library (PIL) and Pillow before 2.3.2 and 2.5.x before 2.5.2 allows remote attackers to cause a denial of service via a crafted block size.(CVE-2014-3589)

Integer overflow in the ImagingResampleHorizontal function in libImaging/Resample.c in Pillow before 3.1.1 allows remote attackers to have unspecified impact via negative values of the new size, which triggers a heap-based buffer overflow.(CVE-2016-4009)");

  script_tag(name:"affected", value:"'python-pillow' package(s) on Huawei EulerOS V2.0SP5.");

  script_tag(name:"solution", value:"Please install the updated package(s).");

  script_tag(name:"solution_type", value:"VendorFix");
  script_tag(name:"qod_type", value:"package");

  exit(0);
}

include("revisions-lib.inc");
include("pkg-lib-rpm.inc");

release = rpm_get_ssh_release();
if(!release)
  exit(0);

res = "";
report = "";

if(release == "EULEROS-2.0SP5") {

  if(!isnull(res = isrpmvuln(pkg:"python-pillow", rpm:"python-pillow~2.0.0~19.h3.gitd1c6db8.eulerosv2r7", rls:"EULEROS-2.0SP5"))) {
    report += res;
  }

  if(report != "") {
    security_message(data:report);
  } else if(__pkg_match) {
    exit(99);
  }
  exit(0);
}

exit(0);

Related

nessus 28
fedora 6
openvas 26
securityvulns 6
amazon 1
ubuntucve 5
cve 5
mageia 4
ubuntu 4
debiancve 5
github 5
osv 11
cvelist 5
prion 5
gentoo 1
debian 2
f5 1
veracode 1
rosalinux 1
nessus
nessus
EulerOS 2.0 SP5 : python-pillow (EulerOS-SA-2019-2701)
2019-12-23 00:00:00
Amazon Linux 2 : python-pillow (ALAS-2023-2286)
2023-10-05 00:00:00
Fedora 19 : python-pillow-2.0.0-16.gitd1c6db8.fc19 (2014-14980)
2014-11-24 00:00:00
fedora
fedora
[SECURITY] Fedora 20 Update: python-pillow-2.2.1-7.fc20
2014-11-22 12:39:31
[SECURITY] Fedora 19 Update: python-pillow-2.0.0-16.gitd1c6db8.fc19
2014-11-22 12:40:12
[SECURITY] Fedora 19 Update: python-pillow-2.0.0-14.gitd1c6db8.fc19
2014-08-27 01:29:32
openvas
openvas
Fedora Update for python-pillow FEDORA-2014-14883
2014-11-23 00:00:00
Fedora Update for python-pillow FEDORA-2014-14980
2014-11-23 00:00:00
Fedora Update for python-pillow FEDORA-2014-9536
2014-08-27 00:00:00
securityvulns
securityvulns
pillow multiple security vulnerabilities
2015-04-19 00:00:00
[ MDVSA-2015:099 ] python-pillow
2015-04-19 00:00:00
Python Imaging Library security vulnerabilities
2014-05-04 00:00:00
amazon
amazon
Important: python-pillow
2023-09-27 22:49:00
ubuntucve
ubuntucve
CVE-2014-3007
2014-04-27 00:00:00
CVE-2014-1933
2014-02-21 00:00:00
CVE-2014-3589
2014-08-25 00:00:00
cve
cve
CVE-2014-3007
2014-04-27 20:55:00
CVE-2014-1933
2014-04-17 14:55:00
CVE-2014-3589
2014-08-25 14:55:00
mageia
mageia
Updated python-pillow packages fix insecure use of temporary files
2014-04-03 19:18:48
Updated python-imaging and python-pillow packages fix security vulnerability
2014-11-21 15:44:16
Updated python-imaging package fixes insecure use of temporary files
2014-04-03 19:18:48
ubuntu
ubuntu
Python Imaging Library vulnerabilities
2014-04-15 00:00:00
Python Imaging Library vulnerabilities
2016-09-15 00:00:00
Pillow regresssion
2016-09-30 00:00:00
debiancve
debiancve
CVE-2014-3007
2014-04-27 20:55:00
CVE-2014-3589
2014-08-25 14:55:00
CVE-2014-1933
2014-04-17 14:55:00
github
github
Pillow command injection
2022-05-17 04:45:39
Pillow Temporary file name leakage
2020-05-18 17:41:19
Pillow denial of service via Crafted Block Size
2022-05-14 02:05:20
osv
osv
Pillow command injection
2022-05-17 04:45:39
PYSEC-2014-87
2014-04-27 20:55:00
Pillow denial of service via Crafted Block Size
2022-05-14 02:05:20
cvelist
cvelist
CVE-2014-3007
2022-10-03 16:20:22
CVE-2016-4009
2016-04-13 16:00:00
CVE-2014-1933
2014-04-17 14:00:00
prion
prion
Design/Logic Flaw
2014-04-27 20:55:00
Code injection
2014-08-25 14:55:00
Command injection
2014-04-17 14:55:00
gentoo
gentoo
Pillow: Multiple vulnerabilities
2016-12-31 00:00:00
debian
debian
[SECURITY] [DSA 3009-1] python-imaging security update
2014-08-21 18:09:52
[DLA 41-1] python-imaging security update
2014-08-24 16:46:55
f5
f5
K67317871 : Python Pillow vulnerability CVE 2016-4009
2017-01-27 00:00:00
veracode
veracode
Integer Overflow
2017-05-16 03:23:08
rosalinux
rosalinux
Advisory ROSA-SA-2021-1957
2021-07-02 18:03:40

8.3 High

AI Score

Confidence

High

0.017 Low

EPSS

Percentile

87.8%

JSON
Related for OPENVAS:1361412562311220192701
nessus28fedora6openvas26securityvulns6amazon1ubuntucve5cve5mageia4ubuntu4debiancve5github5osv11cvelist5prion5gentoo1debian2f51veracode1rosalinux1