Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bugs - Vulnerabilities in Pillow 6.2.2 #1413

Open
balqaasem opened this issue Mar 24, 2024 · 0 comments
Open

Bugs - Vulnerabilities in Pillow 6.2.2 #1413

balqaasem opened this issue Mar 24, 2024 · 0 comments

Comments

@balqaasem
Copy link

balqaasem commented Mar 24, 2024

  • Arbitrary Code Execution: 9.8 Rated Critical Vulnerability Threat with EPS of 0.28% (68th percentile).
  • Out-of-bounds Read: 7.5 Rated High Vulnerability Threat with EPS of 0.35% (72nd percentile) and a low attack complexity.
  • Regular Expression Denial of Service (ReDoS): 7.5 Rated High Vulnerability Threat with EPS of 0.46% (75th percentile).

General Fix: Upgrade Pillow to version 9.0.0 or higher.

Pillow is a PIL (Python Imaging Library) fork.

1. Arbitrary Code Execution:

Affected versions of this package are vulnerable to Arbitrary Code Execution via PIL.ImageMath.eval which allows evaluation of arbitrary expressions, such as ones that use the Python exec method.

How to fix?
Upgrade Pillow to version 9.0.0 or higher.

2. Out-of-bounds Read:

Affected versions of this package are vulnerable to Out-of-bounds Read. A out-of-bounds read in exists in J2kDecode in j2ku_gray_i.

How to fix?
Upgrade Pillow to version 8.2.0 or higher.

3. Regular Expression Denial of Service (ReDoS):

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via the getrgb function.

How to fix?
Upgrade Pillow to version 8.3.2 or higher.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant