Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
redhatRedHatRHSA-2021:3917
HistoryOct 19, 2021 - 12:05 p.m.

(RHSA-2021:3917) Important: Red Hat Quay v3.6.0 security, bug fix and enhancement update

2021-10-1912:05:33
access.redhat.com
20

10 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

7.8 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:N/I:N/A:C

0.01 Low

EPSS

Percentile

83.7%

JSON

Quay 3.6.0 release

Security Fix(es):

  • nodejs-url-parse: incorrect hostname in url parsing (CVE-2018-3774)

  • python-pillow: insufficent fix for CVE-2020-35654 due to incorrect error checking in TiffDecode.c (CVE-2021-25289)

  • nodejs-urijs: mishandling certain uses of backslash may lead to confidentiality compromise (CVE-2021-27516)

  • nodejs-debug: Regular expression Denial of Service (CVE-2017-16137)

  • nodejs-mime: Regular expression Denial of Service (CVE-2017-16138)

  • nodejs-is-my-json-valid: ReDoS when validating JSON fields with email format (CVE-2018-1107)

  • nodejs-extend: Prototype pollution can allow attackers to modify object properties (CVE-2018-16492)

  • nodejs-stringstream: out-of-bounds read leading to uninitialized memory exposure (CVE-2018-21270)

  • nodejs-handlebars: lookup helper fails to properly validate templates allowing for arbitrary JavaScript execution (CVE-2019-20920)

  • nodejs-handlebars: an endless loop while processing specially-crafted templates leads to DoS (CVE-2019-20922)

  • nodejs-lodash: prototype pollution in zipObjectDeep function (CVE-2020-8203)

  • nodejs-ajv: prototype pollution via crafted JSON schema in ajv.validate function (CVE-2020-15366)

  • nodejs-highlight-js: prototype pollution via a crafted HTML code block (CVE-2020-26237)

  • urijs: Hostname spoofing via backslashes in URL (CVE-2020-26291)

  • python-pillow: decoding crafted YCbCr files could result in heap-based buffer overflow (CVE-2020-35654)

  • browserslist: parsing of invalid queries could result in Regular Expression Denial of Service (ReDoS) (CVE-2021-23364)

  • nodejs-postcss: Regular expression denial of service during source map parsing (CVE-2021-23368)

  • nodejs-postcss: ReDoS via getAnnotationURL() and loadAnnotation() in lib/previous-map.js (CVE-2021-23382)

  • python-pillow: negative-offset memcpy with an invalid size in TiffDecode.c (CVE-2021-25290)

  • python-pillow: out-of-bounds read in TiffReadRGBATile in TiffDecode.c (CVE-2021-25291)

  • python-pillow: backtracking regex in PDF parser could be used as a DOS attack (CVE-2021-25292)

  • python-pillow: out-of-bounds read in SGIRleDecode.c (CVE-2021-25293)

  • nodejs-url-parse: mishandling certain uses of backslash may lead to confidentiality compromise (CVE-2021-27515)

  • python-pillow: reported size of a contained image is not properly checked for a BLP container (CVE-2021-27921)

  • python-pillow: reported size of a contained image is not properly checked for an ICNS container (CVE-2021-27922)

  • python-pillow: reported size of a contained image is not properly checked for an ICO container (CVE-2021-27923)

  • python-pillow: buffer overflow in Convert.c because it allow an attacker to pass controlled parameters directly into a convert function (CVE-2021-34552)

  • nodejs-braces: Regular Expression Denial of Service (ReDoS) in lib/parsers.js (CVE-2018-1109)

  • lodash: Prototype pollution in utilities function (CVE-2018-3721)

  • hoek: Prototype pollution in utilities function (CVE-2018-3728)

  • lodash: uncontrolled resource consumption in Data handler causing denial of service (CVE-2019-1010266)

  • nodejs-yargs-parser: prototype pollution vulnerability (CVE-2020-7608)

  • python-pillow: decoding a crafted PCX file could result in buffer over-read (CVE-2020-35653)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Related

nessus 61
osv 17
openvas 43
ubuntu 3
fedora 13
suse 3
redhat 9
rocky 4
gentoo 2
oraclelinux 2
almalinux 3
huntr 5
debiancve 2
veracode 2
ubuntucve 2
photon 5
mageia 1
prion 3
f5 1
github 2
alpinelinux 1
redhatcve 3
cve 3
cloudfoundry 1
archlinux 2
amazon 1
debian 1
slackware 1
ibm 3
nessus
nessus
Fedora 32 : python-pillow / python2-pillow (2021-0ece308612)
2021-03-15 00:00:00
Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS : Pillow vulnerabilities (USN-4763-1)
2021-03-23 00:00:00
Fedora 33 : mingw-python-pillow / python-pillow / python2-pillow (2021-15845d3abe)
2021-03-15 00:00:00
osv
osv
pillow vulnerabilities
2021-03-11 14:56:28
Moderate: curl security update
2021-09-21 07:12:18
Moderate: python-pillow security update
2021-11-09 08:24:34
openvas
openvas
Ubuntu: Security Advisory (USN-4763-1)
2021-03-12 00:00:00
openSUSE: Security Advisory for python-CairoSVG, (openSUSE-SU-2021:1134-1)
2021-08-11 00:00:00
Huawei EulerOS: Security Advisory for python-pillow (EulerOS-SA-2021-2540)
2021-09-28 00:00:00
ubuntu
ubuntu
Pillow vulnerabilities
2021-03-11 00:00:00
Kerberos vulnerabilities
2023-03-16 00:00:00
Pillow vulnerabilities
2021-01-18 00:00:00
fedora
fedora
[SECURITY] Fedora 33 Update: mingw-python-pillow-7.2.0-5.fc33
2021-03-15 01:20:06
[SECURITY] Fedora 32 Update: python-pillow-7.0.0-7.fc32
2021-03-15 01:08:24
[SECURITY] Fedora 33 Update: python-pillow-7.2.0-5.fc33
2021-03-15 01:20:06
suse
suse
Security update for python-CairoSVG, python-Pillow (moderate)
2021-08-10 00:00:00
Security update for curl (moderate)
2021-07-21 00:00:00
Security update for curl (moderate)
2021-07-24 00:00:00
redhat
redhat
(RHSA-2020:5179) Low: Red Hat Virtualization security, bug fix, and enhancement update
2020-11-24 12:30:25
(RHSA-2021:3582) Moderate: curl security update
2021-09-21 07:12:18
(RHSA-2021:4149) Moderate: python-pillow security update
2021-11-09 08:24:34
rocky
rocky
curl security update
2021-09-21 07:12:18
python-pillow security update
2021-11-09 08:24:34
krb5 security update
2021-09-21 07:09:33
gentoo
gentoo
Pillow: Multiple vulnerabilities
2021-07-14 00:00:00
Pillow: Multiple vulnerabilities
2021-01-11 00:00:00
oraclelinux
oraclelinux
curl security update
2021-09-21 00:00:00
krb5 security update
2021-09-23 00:00:00
almalinux
almalinux
Moderate: curl security update
2021-09-21 07:12:18
Moderate: python-pillow security update
2021-11-09 08:24:34
Moderate: krb5 security update
2021-09-21 07:09:33
huntr
huntr
Open Redirect in ionicabizau/git-up
2021-07-10 13:51:54
Open Redirect in tjenkinson/url-toolkit
2021-07-08 08:01:11
Open Redirect in ionicabizau/parse-url
2021-07-10 14:13:37
debiancve
debiancve
CVE-2021-25289
2021-03-19 04:15:00
CVE-2018-16492
2019-02-01 18:29:00
veracode
veracode
Denial Of Service (DoS)
2021-03-22 04:44:22
Regular Expression Denial Of Service (ReDoS)
2018-08-30 06:08:10
ubuntucve
ubuntucve
CVE-2021-25289
2021-03-03 00:00:00
CVE-2018-16492
2019-02-01 00:00:00
photon
photon
Moderate Photon OS Security Update - PHSA-2021-0069
2021-07-25 00:00:00
Moderate Photon OS Security Update - PHSA-2021-0273
2021-07-24 00:00:00
Moderate Photon OS Security Update - PHSA-2021-4.0-0069
2021-07-25 00:00:00
mageia
mageia
Updated curl packages fix security vulnerabilities
2021-07-27 23:21:53
prion
prion
Heap overflow
2021-03-19 04:15:00
Denial of service
2019-07-17 21:15:00
Buffer overflow
2019-02-01 18:29:00
f5
f5
K14102355 : Python Pillow vulnerability CVE-2021-25289
2021-06-03 00:00:00
github
github
Out of bounds write in Pillow
2021-03-29 16:35:16
Prototype Pollution in extend
2019-02-07 18:03:28
alpinelinux
alpinelinux
CVE-2021-25289
2021-03-19 04:15:00
redhatcve
redhatcve
CVE-2021-25289
2021-03-03 17:04:09
CVE-2018-16492
2019-02-04 20:50:30
CVE-2021-23368
2021-04-12 21:16:01
cve
cve
CVE-2021-25289
2021-03-19 04:15:00
CVE-2018-16492
2019-02-01 18:29:00
CVE-2017-16137
2018-06-07 02:29:00
cloudfoundry
cloudfoundry
USN-5959-1: Kerberos vulnerabilities Severity | Cloud Foundry
2023-04-29 00:00:00
archlinux
archlinux
[ASA-202107-59] curl: multiple issues
2021-07-21 00:00:00
[ASA-202101-11] python-pillow: multiple issues
2021-01-12 00:00:00
amazon
amazon
Medium: curl
2021-09-08 23:35:00
debian
debian
[SECURITY] [DLA 2716-1] pillow security update
2021-07-22 11:17:53
slackware
slackware
[slackware-security] curl
2021-07-21 18:22:03
ibm
ibm
Security Bulletin: Vulnerability in Lodash affects IBM Process Mining (Multiple CVEs)
2023-02-01 21:43:34
Security Bulletin: Vulnerabilities in lodash library affect Tivoli Netcool/OMNIbus WebGUI (CVE-2019-1010266, CVE-2020-28500, CVE-2018-16487, CVE-2018-3721, CVE-2020-8203, CVE-2021-23337, CVE-2019-10744)
2022-06-27 03:53:54
Security Bulletin: IBM Security Verify Governance has multiple vulnerabilities
2023-07-18 06:14:58

10 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

7.8 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:N/I:N/A:C

0.01 Low

EPSS

Percentile

83.7%

JSON
Related for RHSA-2021:3917
nessus61osv17openvas43ubuntu3fedora13suse3redhat9rocky4gentoo2oraclelinux2almalinux3huntr5debiancve2veracode2ubuntucve2photon5mageia1prion3f51github2alpinelinux1redhatcve3cve3cloudfoundry1archlinux2amazon1debian1slackware1ibm3