GHSA-j7mj-748x-7p78
Suggest an improvement- Source
- https://github.com/advisories/GHSA-j7mj-748x-7p78
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/10/GHSA-j7mj-748x-7p78/GHSA-j7mj-748x-7p78.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-j7mj-748x-7p78
- Aliases
- Published
- 2019-10-22T14:40:42Z
- Modified
- 2024-03-26T18:30:48.111024Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- DOS attack in Pillow when processing specially crafted image files
- Details
-
An issue was discovered in Pillow before 6.2.0. When reading specially crafted invalid image files, the library can either allocate very large amounts of memory or take an extremely long period of time to process the image.
- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2019-16865
- https://github.com/python-pillow/Pillow/issues/4123
- https://github.com/python-pillow/Pillow/commit/ab52630d0644e42a75eb88b78b9a9d7438a6fbeb
- https://access.redhat.com/errata/RHSA-2020:0566
- https://access.redhat.com/errata/RHSA-2020:0578
- https://access.redhat.com/errata/RHSA-2020:0580
- https://access.redhat.com/errata/RHSA-2020:0681
- https://access.redhat.com/errata/RHSA-2020:0683
- https://access.redhat.com/errata/RHSA-2020:0694
- https://github.com/python-pillow/Pillow
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EMJBUZQGQ2Q7HXYCQVRLU7OXNC7CAWWU
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYDXD7EE4YAEVSTNIFZKNVPRVJX5ZOG3
- https://pillow.readthedocs.io/en/latest/releasenotes/6.2.0.html
- https://ubuntu.com/security/notices/USN-4272-1
- https://usn.ubuntu.com/4272-1
- https://www.debian.org/security/2020/dsa-4631
Affected packages
PyPI / pillow
Package
- Name
- pillow
- View open source insights on deps.dev
- Purl
- pkg:pypi/pillow
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed6.2.0
Affected versions
1.*
1.0
1.1
1.2
1.3
1.4
1.5
1.6
1.7.0
1.7.1
1.7.2
1.7.3
1.7.4
1.7.5
1.7.6
1.7.7
1.7.8
2.*
2.0.0
2.1.0
2.2.0
2.2.1
2.2.2
2.3.0
2.3.1
2.3.2
2.4.0
2.5.0
2.5.1
2.5.2
2.5.3
2.6.0
2.6.1
2.6.2
2.7.0
2.8.0
2.8.1
2.8.2
2.9.0
3.*
3.0.0
3.1.0.rc1
3.1.0rc1
3.1.0
3.1.1
3.1.2
3.2.0
3.3.0
3.3.1
3.3.2
3.3.3
3.4.0
3.4.1
3.4.2
4.*
4.0.0
4.1.0
4.1.1
4.2.0
4.2.1
4.3.0
5.*
5.0.0
5.1.0
5.2.0
5.3.0
5.4.0.dev0
5.4.0
5.4.1
6.*
6.0.0
6.1.0