GoogleOSV:GHSA-3XV8-3J54-HGRPOut-of-bounds read in Pillow
5.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
0.001 Low
EPSS
Percentile
38.3%
In libImaging/PcxDecode.c in Pillow before 7.1.0, an out-of-bounds read can occur when reading PCX files where state->shuffle is instructed to read beyond state->buffer.
References
github.com/pypa/advisory-db/blob/7872b0a91b4d980f749e6d75a81f8cc1af32829f/vulns/pillow/PYSEC-2020-77.yaml
github.com/python-pillow/Pillow
github.com/python-pillow/Pillow/commit/124f4bb591e16212605d0e41c413ed53e242cba2
github.com/python-pillow/Pillow/commit/6a83e4324738bb0452fbe8074a995b1c73f08de7#diff-9478f2787e3ae9668a15123b165c23ac
github.com/python-pillow/Pillow/commits/master/src/libImaging
github.com/python-pillow/Pillow/issues/4750
github.com/python-pillow/Pillow/pull/4538
lists.fedoraproject.org/archives/list/[email protected]/message/BEBCPE4F2VHTIT6EZA2YZQZLPVDEBJGD
lists.fedoraproject.org/archives/list/[email protected]/message/HOKHNWV2VS5GESY7IBD237E7C6T3I427
nvd.nist.gov/vuln/detail/CVE-2020-10378
pillow.readthedocs.io/en/stable/releasenotes/6.2.3.html
pillow.readthedocs.io/en/stable/releasenotes/7.1.0.html
usn.ubuntu.com/4430-1
usn.ubuntu.com/4430-2
Related
5.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
0.001 Low
EPSS
Percentile
38.3%