-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathdjango-goat-bom.vdr.json
1 lines (1 loc) · 185 KB
/
django-goat-bom.vdr.json
1
{"bomFormat":"CycloneDX","components":[{"bom-ref":"pkg:pypi/django@2.1.7","evidence":{"identity":{"confidence":1,"field":"purl","methods":[{"confidence":1,"technique":"instrumentation","value":"/home/runner/work/src_repos/python/django-goat/venv"}]}},"group":"","name":"django","properties":[{"name":"SrcFile","value":"/home/runner/work/src_repos/python/django-goat/requirements_tests.txt"}],"purl":"pkg:pypi/django@2.1.7","type":"framework","version":"2.1.7"},{"bom-ref":"pkg:pypi/pytz@2024.2","evidence":{"identity":{"confidence":0.8,"field":"purl","methods":[{"confidence":0.8,"technique":"manifest-analysis","value":"/home/runner/work/src_repos/python/django-goat/requirements_tests.txt"}]}},"group":"","name":"pytz","properties":[{"name":"SrcFile","value":"/home/runner/work/src_repos/python/django-goat/requirements_tests.txt"}],"purl":"pkg:pypi/pytz@2024.2","type":"library","version":"2024.2"},{"bom-ref":"pkg:pypi/pillow@5.4.1","evidence":{"identity":{"confidence":1,"field":"purl","methods":[{"confidence":1,"technique":"instrumentation","value":"/home/runner/work/src_repos/python/django-goat/venv"}]}},"group":"","name":"pillow","properties":[{"name":"SrcFile","value":"/home/runner/work/src_repos/python/django-goat/requirements_tests.txt"}],"purl":"pkg:pypi/pillow@5.4.1","type":"library","version":"5.4.1"},{"bom-ref":"pkg:pypi/behave@1.2.6","evidence":{"identity":{"confidence":1,"field":"purl","methods":[{"confidence":1,"technique":"instrumentation","value":"/home/runner/work/src_repos/python/django-goat/venv"}]}},"group":"","name":"behave","properties":[{"name":"SrcFile","value":"/home/runner/work/src_repos/python/django-goat/requirements_tests.txt"}],"purl":"pkg:pypi/behave@1.2.6","type":"library","version":"1.2.6"},{"bom-ref":"pkg:pypi/parse@1.20.2","evidence":{"identity":{"confidence":0.8,"field":"purl","methods":[{"confidence":0.8,"technique":"manifest-analysis","value":"/home/runner/work/src_repos/python/django-goat/requirements_tests.txt"}]}},"group":"","name":"parse","properties":[{"name":"SrcFile","value":"/home/runner/work/src_repos/python/django-goat/requirements_tests.txt"}],"purl":"pkg:pypi/parse@1.20.2","type":"library","version":"1.20.2"},{"bom-ref":"pkg:pypi/parse-type@0.6.3","evidence":{"identity":{"confidence":0.8,"field":"purl","methods":[{"confidence":0.8,"technique":"manifest-analysis","value":"/home/runner/work/src_repos/python/django-goat/requirements_tests.txt"}]}},"group":"","name":"parse-type","properties":[{"name":"SrcFile","value":"/home/runner/work/src_repos/python/django-goat/requirements_tests.txt"}],"purl":"pkg:pypi/parse-type@0.6.3","type":"library","version":"0.6.3"},{"bom-ref":"pkg:pypi/six@1.16.0","evidence":{"identity":{"confidence":0.8,"field":"purl","methods":[{"confidence":0.8,"technique":"manifest-analysis","value":"/home/runner/work/src_repos/python/django-goat/requirements_tests.txt"}]}},"group":"","name":"six","properties":[{"name":"SrcFile","value":"/home/runner/work/src_repos/python/django-goat/requirements_tests.txt"}],"purl":"pkg:pypi/six@1.16.0","type":"library","version":"1.16.0"},{"bom-ref":"pkg:pypi/gunicorn@19.9.0","evidence":{"identity":{"confidence":1,"field":"purl","methods":[{"confidence":1,"technique":"instrumentation","value":"/home/runner/work/src_repos/python/django-goat/venv"}]}},"group":"","name":"gunicorn","properties":[{"name":"SrcFile","value":"/home/runner/work/src_repos/python/django-goat/requirements_tests.txt"}],"purl":"pkg:pypi/gunicorn@19.9.0","type":"library","version":"19.9.0"},{"bom-ref":"pkg:pypi/python-owasp-zap-v2.4@0.0.14","evidence":{"identity":{"confidence":1,"field":"purl","methods":[{"confidence":1,"technique":"instrumentation","value":"/home/runner/work/src_repos/python/django-goat/venv"}]}},"group":"","name":"python-owasp-zap-v2.4","properties":[{"name":"SrcFile","value":"/home/runner/work/src_repos/python/django-goat/requirements_tests.txt"}],"purl":"pkg:pypi/python-owasp-zap-v2.4@0.0.14","type":"library","version":"0.0.14"},{"bom-ref":"pkg:pypi/requests@2.32.3","evidence":{"identity":{"confidence":0.8,"field":"purl","methods":[{"confidence":0.8,"technique":"manifest-analysis","value":"/home/runner/work/src_repos/python/django-goat/requirements_tests.txt"}]}},"group":"","name":"requests","properties":[{"name":"SrcFile","value":"/home/runner/work/src_repos/python/django-goat/requirements_tests.txt"}],"purl":"pkg:pypi/requests@2.32.3","type":"library","version":"2.32.3"},{"bom-ref":"pkg:pypi/charset-normalizer@3.3.2","evidence":{"identity":{"confidence":0.8,"field":"purl","methods":[{"confidence":0.8,"technique":"manifest-analysis","value":"/home/runner/work/src_repos/python/django-goat/requirements_tests.txt"}]}},"group":"","name":"charset-normalizer","properties":[{"name":"SrcFile","value":"/home/runner/work/src_repos/python/django-goat/requirements_tests.txt"}],"purl":"pkg:pypi/charset-normalizer@3.3.2","type":"library","version":"3.3.2"},{"bom-ref":"pkg:pypi/idna@3.10","evidence":{"identity":{"confidence":0.8,"field":"purl","methods":[{"confidence":0.8,"technique":"manifest-analysis","value":"/home/runner/work/src_repos/python/django-goat/requirements_tests.txt"}]}},"group":"","name":"idna","properties":[{"name":"SrcFile","value":"/home/runner/work/src_repos/python/django-goat/requirements_tests.txt"}],"purl":"pkg:pypi/idna@3.10","type":"library","version":"3.10"},{"bom-ref":"pkg:pypi/urllib3@2.2.3","evidence":{"identity":{"confidence":0.8,"field":"purl","methods":[{"confidence":0.8,"technique":"manifest-analysis","value":"/home/runner/work/src_repos/python/django-goat/requirements_tests.txt"}]}},"group":"","name":"urllib3","properties":[{"name":"SrcFile","value":"/home/runner/work/src_repos/python/django-goat/requirements_tests.txt"}],"purl":"pkg:pypi/urllib3@2.2.3","type":"library","version":"2.2.3"},{"bom-ref":"pkg:pypi/certifi@2024.8.30","evidence":{"identity":{"confidence":0.8,"field":"purl","methods":[{"confidence":0.8,"technique":"manifest-analysis","value":"/home/runner/work/src_repos/python/django-goat/requirements_tests.txt"}]}},"group":"","name":"certifi","properties":[{"name":"SrcFile","value":"/home/runner/work/src_repos/python/django-goat/requirements_tests.txt"}],"purl":"pkg:pypi/certifi@2024.8.30","type":"library","version":"2024.8.30"},{"bom-ref":"pkg:pypi/selenium@3.141.0","evidence":{"identity":{"confidence":1,"field":"purl","methods":[{"confidence":1,"technique":"instrumentation","value":"/home/runner/work/src_repos/python/django-goat/venv"}]}},"group":"","name":"selenium","properties":[{"name":"SrcFile","value":"/home/runner/work/src_repos/python/django-goat/requirements_tests.txt"}],"purl":"pkg:pypi/selenium@3.141.0","type":"library","version":"3.141.0"},{"bom-ref":"pkg:pypi/whitenoise@4.1.2","evidence":{"identity":{"confidence":1,"field":"purl","methods":[{"confidence":1,"technique":"instrumentation","value":"/home/runner/work/src_repos/python/django-goat/venv"}]}},"group":"","name":"whitenoise","properties":[{"name":"SrcFile","value":"/home/runner/work/src_repos/python/django-goat/requirements_tests.txt"}],"purl":"pkg:pypi/whitenoise@4.1.2","type":"library","version":"4.1.2"}],"dependencies":[{"dependsOn":["pkg:pypi/django@2.1.7","pkg:pypi/pillow@5.4.1","pkg:pypi/behave@1.2.6","pkg:pypi/gunicorn@19.9.0","pkg:pypi/parse-type@0.6.3","pkg:pypi/python-owasp-zap-v2.4@0.0.14","pkg:pypi/selenium@3.141.0","pkg:pypi/whitenoise@4.1.2"],"ref":"pkg:pypi/django-goat@latest"},{"dependsOn":[],"ref":"pkg:pypi/pytz@2024.2"},{"dependsOn":["pkg:pypi/pytz@2024.2"],"ref":"pkg:pypi/django@2.1.7"},{"dependsOn":[],"ref":"pkg:pypi/pillow@5.4.1"},{"dependsOn":[],"ref":"pkg:pypi/parse@1.20.2"},{"dependsOn":["pkg:pypi/parse@1.20.2","pkg:pypi/six@1.16.0"],"ref":"pkg:pypi/parse-type@0.6.3"},{"dependsOn":[],"ref":"pkg:pypi/six@1.16.0"},{"dependsOn":["pkg:pypi/parse-type@0.6.3","pkg:pypi/parse@1.20.2","pkg:pypi/six@1.16.0"],"ref":"pkg:pypi/behave@1.2.6"},{"dependsOn":[],"ref":"pkg:pypi/gunicorn@19.9.0"},{"dependsOn":["pkg:pypi/certifi@2024.8.30","pkg:pypi/charset-normalizer@3.3.2","pkg:pypi/idna@3.10","pkg:pypi/urllib3@2.2.3"],"ref":"pkg:pypi/requests@2.32.3"},{"dependsOn":[],"ref":"pkg:pypi/charset-normalizer@3.3.2"},{"dependsOn":[],"ref":"pkg:pypi/idna@3.10"},{"dependsOn":[],"ref":"pkg:pypi/urllib3@2.2.3"},{"dependsOn":[],"ref":"pkg:pypi/certifi@2024.8.30"},{"dependsOn":["pkg:pypi/requests@2.32.3","pkg:pypi/six@1.16.0"],"ref":"pkg:pypi/python-owasp-zap-v2.4@0.0.14"},{"dependsOn":["pkg:pypi/urllib3@2.2.3"],"ref":"pkg:pypi/selenium@3.141.0"},{"dependsOn":[],"ref":"pkg:pypi/whitenoise@4.1.2"}],"metadata":{"authors":[{"name":"OWASP Foundation"}],"component":{"bom-ref":"pkg:pypi/django-goat@latest","group":"","name":"django-goat","purl":"pkg:pypi/django-goat@latest","type":"application","version":"latest"},"lifecycles":[{"phase":"build"}],"properties":[{"name":"cdx:bom:componentTypes","value":"pypi"}],"timestamp":"2024-09-16T15:14:08Z","tools":{"components":[{"author":"OWASP Foundation","bom-ref":"pkg:npm/@cyclonedx/cdxgen@10.9.11","group":"@cyclonedx","name":"cdxgen","publisher":"OWASP Foundation","purl":"pkg:npm/%40cyclonedx/cdxgen@10.9.11","type":"application","version":"10.9.11"},{"bom-ref":"pkg:pypi/owasp-depscan@6.0.0","name":"owasp-depscan","purl":"pkg:pypi/owasp-depscan@6.0.0","type":"application","version":"6.0.0"}]}},"serialNumber":"urn:uuid:5c103da8-10fa-4497-a66c-ebe5dd7ebbd4","specVersion":"1.5","version":2,"vulnerabilities":[{"advisories":[{"title":"Backdropcms Advisory backdrop-sa-core-2019-009","url":"https://backdropcms.org/security/backdrop-sa-core-2019-009"},{"title":"Red Hat Advisory RHSA-2019:3023","url":"https://access.redhat.com/errata/RHSA-2019:3023"},{"title":"Snyk Advisory SNYK-JS-JQUERY-174006","url":"https://snyk.io/vuln/SNYK-JS-JQUERY-174006"},{"title":"Debian Advisory dsa-4460","url":"https://www.debian.org/security/2019/dsa-4460"},{"title":"CVE-2019-11358","url":"https://nvd.nist.gov/vuln/detail/CVE-2019-11358"},{"title":"Oracle Advisory cpuApr2021","url":"https://www.oracle.com/security-alerts/cpuApr2021.html"},{"title":"Tenable Advisory tns-2020-02","url":"https://www.tenable.com/security/tns-2020-02"},{"title":"Synology Advisory Synology_SA_19_19","url":"https://www.synology.com/security/advisory/Synology_SA_19_19"},{"title":"Tenable Advisory tns-2019-08","url":"https://www.tenable.com/security/tns-2019-08"},{"title":"Red Hat Advisory RHBA-2019:1570","url":"https://access.redhat.com/errata/RHBA-2019:1570"},{"title":"Oracle Advisory cpuoct2020","url":"https://www.oracle.com/security-alerts/cpuoct2020.html"},{"title":"Oracle Advisory cpujan2020","url":"https://www.oracle.com/security-alerts/cpujan2020.html"},{"title":"Red Hat Advisory RHSA-2019:2587","url":"https://access.redhat.com/errata/RHSA-2019:2587"},{"title":"Oracle Advisory cpujul2019-5072835","url":"https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"},{"title":"Oracle Advisory cpuoct2021","url":"https://www.oracle.com/security-alerts/cpuoct2021.html"},{"title":"Oracle Advisory cpujul2020","url":"https://www.oracle.com/security-alerts/cpujul2020.html"},{"title":"Jquery Advisory jquery-3-4-0-released","url":"https://blog.jquery.com/2019/04/10/jquery-3-4-0-released"},{"title":"Oracle Advisory cpuoct2019-5072832","url":"https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"},{"title":"Red Hat Advisory RHSA-2019:3024","url":"https://access.redhat.com/errata/RHSA-2019:3024"},{"title":"Oracle Advisory cpujul2021","url":"https://www.oracle.com//security-alerts/cpujul2021.html"},{"title":"Snyk Advisory SNYK-DOTNET-JQUERY-450226","url":"https://security.snyk.io/vuln/SNYK-DOTNET-JQUERY-450226"},{"title":"Red Hat Advisory RHSA-2019:1456","url":"https://access.redhat.com/errata/RHSA-2019:1456"},{"title":"Debian Advisory dsa-4434","url":"https://www.debian.org/security/2019/dsa-4434"},{"title":"Oracle Advisory cpujan2021","url":"https://www.oracle.com/security-alerts/cpujan2021.html"},{"title":"Oracle Advisory cpujan2022","url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"title":"NetApp Advisory ntap-20190919-0001","url":"https://security.netapp.com/advisory/ntap-20190919-0001"},{"title":"Oracle Advisory cpuapr2020","url":"https://www.oracle.com/security-alerts/cpuapr2020.html"},{"title":"GitHub Advisory CVE-2019-11358","url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/jquery-rails/CVE-2019-11358.yml"}],"affects":[{"ref":"pkg:pypi/django@2.1.7","versions":[{"range":"vers:pypi/>=2.0a1|<2.1.9","status":"affected"},{"status":"unaffected","version":"2.1.9"}]}],"analysis":{},"bom-ref":"CVE-2019-11358/pkg:pypi/django@2.1.7","cwes":[1321,79],"description":"XSS in jQuery as used in Drupal, Backdrop CMS, and other products","detail":"# XSS in jQuery as used in Drupal, Backdrop CMS, and other products jQuery from 1.1.4 until 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles `jQuery.extend(true, {}, ...)` because of `Object.prototype` pollution. If an unsanitized source object contained an enumerable `__proto__` property, it could extend the native `Object.prototype`. ## Related CVE(s) CVE-2019-11358, SNYK-JS-JQUERY-174006","id":"CVE-2019-11358","properties":[{"name":"depscan:prioritized","value":"true"},{"name":"depscan:insights","value":"Known Exploits"}],"published":"2019-04-26T16:29:11","ratings":[{"method":"CVSSv31","score":6.1,"severity":"medium","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}],"recommendation":"Update to version 2.1.9 to resolve CVE-2019-11358 or update to version 3.2.15 to resolve additional vulnerabilities for this package.","references":[{"id":"fedoraproject-msg-KYH3OAGR2RTCHRA5NOKX2TES7SNQMWGO","source":{"name":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KYH3OAGR2RTCHRA5NOKX2TES7SNQMWGO"}},{"id":"apache-msg-r7e8ebccb7c022e41295f6fdb7b971209b83702339f872ddd8cf8bf73","source":{"name":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r7e8ebccb7c022e41295f6fdb7b971209b83702339f872ddd8cf8bf73@%3Cissues.flink.apache.org%3E"}},{"id":"apache-msg-r2baacab6e0acb5a2092eb46ae04fd6c3e8277b4fd79b1ffb7f3254fa","source":{"name":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r2baacab6e0acb5a2092eb46ae04fd6c3e8277b4fd79b1ffb7f3254fa%40%3Cissues.flink.apache.org%3E"}},{"id":"apache-msg-r41b5bfe009c845f67d4f68948cc9419ac2d62e287804aafd72892b08","source":{"name":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r41b5bfe009c845f67d4f68948cc9419ac2d62e287804aafd72892b08%40%3Cissues.flink.apache.org%3E"}},{"id":"apache-msg-88fb0362fd40e5b605ea8149f63241537b8b6fb5bfa315391fc5cbb7","source":{"name":"Apache Mailing List","url":"https://lists.apache.org/thread.html/88fb0362fd40e5b605ea8149f63241537b8b6fb5bfa315391fc5cbb7@%3Ccommits.airflow.apache.org%3E"}},{"id":"backdrop-sa-core-2019-009","source":{"name":"Backdropcms Advisory","url":"https://backdropcms.org/security/backdrop-sa-core-2019-009"}},{"id":"openwall-oss-security-msg-2019-06-03-2","source":{"name":"Openwall Mailing List","url":"http://www.openwall.com/lists/oss-security/2019/06/03/2"}},{"id":"RHSA-2019:3023","source":{"name":"Red Hat Advisory","url":"https://access.redhat.com/errata/RHSA-2019:3023"}},{"id":"opensuse-msg-msg00025","source":{"name":"Open Suse Mailing List","url":"http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00025.html"}},{"id":"fedoraproject-msg-5IABSKTYZ5JUGL735UKGXL5YPRYOPUYI","source":{"name":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5IABSKTYZ5JUGL735UKGXL5YPRYOPUYI"}},{"id":"SNYK-JS-JQUERY-174006","source":{"name":"Snyk Advisory","url":"https://snyk.io/vuln/SNYK-JS-JQUERY-174006"}},{"id":"apache-msg-b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442","source":{"name":"Apache Mailing List","url":"https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E"}},{"id":"opensuse-msg-msg00006","source":{"name":"Open Suse Mailing List","url":"http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00006.html"}},{"id":"apache-msg-r2baacab6e0acb5a2092eb46ae04fd6c3e8277b4fd79b1ffb7f3254fa","source":{"name":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r2baacab6e0acb5a2092eb46ae04fd6c3e8277b4fd79b1ffb7f3254fa@%3Cissues.flink.apache.org%3E"}},{"id":"apache-msg-rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b","source":{"name":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b%40%3Ccommits.nifi.apache.org%3E"}},{"id":"apache-msg-08720ef215ee7ab3386c05a1a90a7d1c852bf0706f176a7816bf65fc","source":{"name":"Apache Mailing List","url":"https://lists.apache.org/thread.html/08720ef215ee7ab3386c05a1a90a7d1c852bf0706f176a7816bf65fc%40%3Ccommits.airflow.apache.org%3E"}},{"id":"dsa-4460","source":{"name":"Debian Advisory","url":"https://www.debian.org/security/2019/dsa-4460"}},{"id":"fedoraproject-msg-WZW27UCJ5CYFL4KFFFMYMIBNMIU2ALG5","source":{"name":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WZW27UCJ5CYFL4KFFFMYMIBNMIU2ALG5"}},{"id":"apache-msg-08720ef215ee7ab3386c05a1a90a7d1c852bf0706f176a7816bf65fc","source":{"name":"Apache Mailing List","url":"https://lists.apache.org/thread.html/08720ef215ee7ab3386c05a1a90a7d1c852bf0706f176a7816bf65fc@%3Ccommits.airflow.apache.org%3E"}},{"id":"CVE-2019-11358","source":{"name":"NVD","url":"https://nvd.nist.gov/vuln/detail/CVE-2019-11358"}},{"id":"cpuApr2021","source":{"name":"Oracle Advisory","url":"https://www.oracle.com/security-alerts/cpuApr2021.html"}},{"id":"tns-2020-02","source":{"name":"Tenable Advisory","url":"https://www.tenable.com/security/tns-2020-02"}},{"id":"apache-msg-6097cdbd6f0a337bedd9bb5cc441b2d525ff002a96531de367e4259f","source":{"name":"Apache Mailing List","url":"https://lists.apache.org/thread.html/6097cdbd6f0a337bedd9bb5cc441b2d525ff002a96531de367e4259f@%3Ccommits.airflow.apache.org%3E"}},{"id":"Synology_SA_19_19","source":{"name":"Synology Advisory","url":"https://www.synology.com/security/advisory/Synology_SA_19_19"}},{"id":"apache-msg-r7aac081cbddb6baa24b75e74abf0929bf309b176755a53e3ed810355","source":{"name":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r7aac081cbddb6baa24b75e74abf0929bf309b176755a53e3ed810355%40%3Cdev.flink.apache.org%3E"}},{"id":"seclists-exploit-bugtraq/2019/May/18","source":{"name":"Seclists Exploit","url":"https://seclists.org/bugtraq/2019/May/18"}},{"id":"apache-msg-r7d64895cc4dff84d0becfc572b20c0e4bf9bfa7b10c6f5f73e783734","source":{"name":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r7d64895cc4dff84d0becfc572b20c0e4bf9bfa7b10c6f5f73e783734@%3Cdev.storm.apache.org%3E"}},{"id":"tns-2019-08","source":{"name":"Tenable Advisory","url":"https://www.tenable.com/security/tns-2019-08"}},{"id":"RHBA-2019:1570","source":{"name":"Red Hat Advisory","url":"https://access.redhat.com/errata/RHBA-2019:1570"}},{"id":"apache-msg-r38f0d1aa3c923c22977fe7376508f030f22e22c1379fbb155bf29766","source":{"name":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r38f0d1aa3c923c22977fe7376508f030f22e22c1379fbb155bf29766@%3Cdev.syncope.apache.org%3E"}},{"id":"cpuoct2020","source":{"name":"Oracle Advisory","url":"https://www.oracle.com/security-alerts/cpuoct2020.html"}},{"id":"apache-msg-r38f0d1aa3c923c22977fe7376508f030f22e22c1379fbb155bf29766","source":{"name":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r38f0d1aa3c923c22977fe7376508f030f22e22c1379fbb155bf29766%40%3Cdev.syncope.apache.org%3E"}},{"id":"cpujan2020","source":{"name":"Oracle Advisory","url":"https://www.oracle.com/security-alerts/cpujan2020.html"}},{"id":"debian-msg-msg00024","source":{"name":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2020/02/msg00024.html"}},{"id":"apache-msg-519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f","source":{"name":"Apache Mailing List","url":"https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E"}},{"id":"apache-msg-r2041a75d3fc09dec55adfd95d598b38d22715303f65c997c054844c9","source":{"name":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r2041a75d3fc09dec55adfd95d598b38d22715303f65c997c054844c9%40%3Cissues.flink.apache.org%3E"}},{"id":"apache-msg-rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b","source":{"name":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3E"}},{"id":"RHSA-2019:2587","source":{"name":"Red Hat Advisory","url":"https://access.redhat.com/errata/RHSA-2019:2587"}},{"id":"cpujul2019-5072835","source":{"name":"Oracle Advisory","url":"https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"}},{"id":"debian-msg-msg00006","source":{"name":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2019/05/msg00006.html"}},{"id":"apache-msg-r7e8ebccb7c022e41295f6fdb7b971209b83702339f872ddd8cf8bf73","source":{"name":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r7e8ebccb7c022e41295f6fdb7b971209b83702339f872ddd8cf8bf73%40%3Cissues.flink.apache.org%3E"}},{"id":"cpuoct2021","source":{"name":"Oracle Advisory","url":"https://www.oracle.com/security-alerts/cpuoct2021.html"}},{"id":"fedoraproject-msg-5IABSKTYZ5JUGL735UKGXL5YPRYOPUYI","source":{"name":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5IABSKTYZ5JUGL735UKGXL5YPRYOPUYI"}},{"id":"cpujul2020","source":{"name":"Oracle Advisory","url":"https://www.oracle.com/security-alerts/cpujul2020.html"}},{"id":"seclists-exploit-fulldisclosure/2019/May/13","source":{"name":"Seclists Exploit","url":"http://seclists.org/fulldisclosure/2019/May/13"}},{"id":"apache-msg-r7d64895cc4dff84d0becfc572b20c0e4bf9bfa7b10c6f5f73e783734","source":{"name":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r7d64895cc4dff84d0becfc572b20c0e4bf9bfa7b10c6f5f73e783734%40%3Cdev.storm.apache.org%3E"}},{"id":"seclists-exploit-fulldisclosure/2019/May/11","source":{"name":"Seclists Exploit","url":"http://seclists.org/fulldisclosure/2019/May/11"}},{"id":"archive-msg-108023","source":{"name":"Archive Mailing List","url":"https://web.archive.org/web/20190824065237/http://www.securityfocus.com/bid/108023"}},{"id":"jquery-3-4-0-released","source":{"name":"Jquery Advisory","url":"https://blog.jquery.com/2019/04/10/jquery-3-4-0-released"}},{"id":"fedoraproject-msg-KYH3OAGR2RTCHRA5NOKX2TES7SNQMWGO","source":{"name":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KYH3OAGR2RTCHRA5NOKX2TES7SNQMWGO"}},{"id":"securityfocus-msg-108023","source":{"name":"Security Focus Mailing List","url":"http://www.securityfocus.com/bid/108023"}},{"id":"cpuoct2019-5072832","source":{"name":"Oracle Advisory","url":"https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"}},{"id":"apache-msg-rac25da84ecdcd36f6de5ad0d255f4e967209bbbebddb285e231da37d","source":{"name":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rac25da84ecdcd36f6de5ad0d255f4e967209bbbebddb285e231da37d%40%3Cissues.flink.apache.org%3E"}},{"id":"debian-msg-msg00040","source":{"name":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html"}},{"id":"apache-msg-b736d0784cf02f5a30fbb4c5902762a15ad6d47e17e2c5a17b7d6205","source":{"name":"Apache Mailing List","url":"https://lists.apache.org/thread.html/b736d0784cf02f5a30fbb4c5902762a15ad6d47e17e2c5a17b7d6205@%3Ccommits.airflow.apache.org%3E"}},{"id":"apache-msg-r2041a75d3fc09dec55adfd95d598b38d22715303f65c997c054844c9","source":{"name":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r2041a75d3fc09dec55adfd95d598b38d22715303f65c997c054844c9@%3Cissues.flink.apache.org%3E"}},{"id":"apache-msg-b736d0784cf02f5a30fbb4c5902762a15ad6d47e17e2c5a17b7d6205","source":{"name":"Apache Mailing List","url":"https://lists.apache.org/thread.html/b736d0784cf02f5a30fbb4c5902762a15ad6d47e17e2c5a17b7d6205%40%3Ccommits.airflow.apache.org%3E"}},{"id":"apache-msg-b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442","source":{"name":"Apache Mailing List","url":"https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E"}},{"id":"RHSA-2019:3024","source":{"name":"Red Hat Advisory","url":"https://access.redhat.com/errata/RHSA-2019:3024"}},{"id":"fedoraproject-msg-WZW27UCJ5CYFL4KFFFMYMIBNMIU2ALG5","source":{"name":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WZW27UCJ5CYFL4KFFFMYMIBNMIU2ALG5"}},{"id":"cpujul2021","source":{"name":"Oracle Advisory","url":"https://www.oracle.com//security-alerts/cpujul2021.html"}},{"id":"apache-msg-rac25da84ecdcd36f6de5ad0d255f4e967209bbbebddb285e231da37d","source":{"name":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rac25da84ecdcd36f6de5ad0d255f4e967209bbbebddb285e231da37d@%3Cissues.flink.apache.org%3E"}},{"id":"debian-msg-msg00029","source":{"name":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2019/05/msg00029.html"}},{"id":"SNYK-DOTNET-JQUERY-450226","source":{"name":"Snyk Advisory","url":"https://security.snyk.io/vuln/SNYK-DOTNET-JQUERY-450226"}},{"id":"seclists-exploit-bugtraq/2019/Jun/12","source":{"name":"Seclists Exploit","url":"https://seclists.org/bugtraq/2019/Jun/12"}},{"id":"fedoraproject-msg-4UOAZIFCSZ3ENEFOR5IXX6NFAD3HV7FA","source":{"name":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4UOAZIFCSZ3ENEFOR5IXX6NFAD3HV7FA"}},{"id":"fedoraproject-msg-RLXRX23725JL366CNZGJZ7AQQB7LHQ6F","source":{"name":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RLXRX23725JL366CNZGJZ7AQQB7LHQ6F"}},{"id":"fedoraproject-msg-QV3PKZC3PQCO3273HAT76PAQZFBEO4KP","source":{"name":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QV3PKZC3PQCO3273HAT76PAQZFBEO4KP"}},{"id":"apache-msg-6097cdbd6f0a337bedd9bb5cc441b2d525ff002a96531de367e4259f","source":{"name":"Apache Mailing List","url":"https://lists.apache.org/thread.html/6097cdbd6f0a337bedd9bb5cc441b2d525ff002a96531de367e4259f%40%3Ccommits.airflow.apache.org%3E"}},{"id":"fedoraproject-msg-4UOAZIFCSZ3ENEFOR5IXX6NFAD3HV7FA","source":{"name":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4UOAZIFCSZ3ENEFOR5IXX6NFAD3HV7FA"}},{"id":"RHSA-2019:1456","source":{"name":"Red Hat Advisory","url":"https://access.redhat.com/errata/RHSA-2019:1456"}},{"id":"seclists-exploit-bugtraq/2019/Apr/32","source":{"name":"Seclists Exploit","url":"https://seclists.org/bugtraq/2019/Apr/32"}},{"id":"apache-msg-88fb0362fd40e5b605ea8149f63241537b8b6fb5bfa315391fc5cbb7","source":{"name":"Apache Mailing List","url":"https://lists.apache.org/thread.html/88fb0362fd40e5b605ea8149f63241537b8b6fb5bfa315391fc5cbb7%40%3Ccommits.airflow.apache.org%3E"}},{"id":"dsa-4434","source":{"name":"Debian Advisory","url":"https://www.debian.org/security/2019/dsa-4434"}},{"id":"apache-msg-519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f","source":{"name":"Apache Mailing List","url":"https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E"}},{"id":"apache-msg-f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc","source":{"name":"Apache Mailing List","url":"https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E"}},{"id":"fedoraproject-msg-QV3PKZC3PQCO3273HAT76PAQZFBEO4KP","source":{"name":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QV3PKZC3PQCO3273HAT76PAQZFBEO4KP"}},{"id":"apache-msg-5928aa293e39d248266472210c50f176cac1535220f2486e6a7fa844","source":{"name":"Apache Mailing List","url":"https://lists.apache.org/thread.html/5928aa293e39d248266472210c50f176cac1535220f2486e6a7fa844@%3Ccommits.airflow.apache.org%3E"}},{"id":"cpujan2021","source":{"name":"Oracle Advisory","url":"https://www.oracle.com/security-alerts/cpujan2021.html"}},{"id":"apache-msg-bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3","source":{"name":"Apache Mailing List","url":"https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3%40%3Ccommits.nifi.apache.org%3E"}},{"id":"apache-msg-ba79cf1658741e9f146e4c59b50aee56656ea95d841d358d006c18b6","source":{"name":"Apache Mailing List","url":"https://lists.apache.org/thread.html/ba79cf1658741e9f146e4c59b50aee56656ea95d841d358d006c18b6@%3Ccommits.roller.apache.org%3E"}},{"id":"apache-msg-ba79cf1658741e9f146e4c59b50aee56656ea95d841d358d006c18b6","source":{"name":"Apache Mailing List","url":"https://lists.apache.org/thread.html/ba79cf1658741e9f146e4c59b50aee56656ea95d841d358d006c18b6%40%3Ccommits.roller.apache.org%3E"}},{"id":"apache-msg-5928aa293e39d248266472210c50f176cac1535220f2486e6a7fa844","source":{"name":"Apache Mailing List","url":"https://lists.apache.org/thread.html/5928aa293e39d248266472210c50f176cac1535220f2486e6a7fa844%40%3Ccommits.airflow.apache.org%3E"}},{"id":"packetstormsecurity-exploit-RetireJS-CORS-Issue-Script-Execution.html","source":{"name":"Packetstormsecurity Exploit","url":"http://packetstormsecurity.com/files/153237/RetireJS-CORS-Issue-Script-Execution.html"}},{"id":"packetstormsecurity-exploit-OctoberCMS-Insecure-Dependencies.html","source":{"name":"Packetstormsecurity Exploit","url":"http://packetstormsecurity.com/files/156743/OctoberCMS-Insecure-Dependencies.html"}},{"id":"cpujan2022","source":{"name":"Oracle Advisory","url":"https://www.oracle.com/security-alerts/cpujan2022.html"}},{"id":"fedoraproject-msg-RLXRX23725JL366CNZGJZ7AQQB7LHQ6F","source":{"name":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RLXRX23725JL366CNZGJZ7AQQB7LHQ6F"}},{"id":"apache-msg-f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc","source":{"name":"Apache Mailing List","url":"https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E"}},{"id":"seclists-exploit-fulldisclosure/2019/May/10","source":{"name":"Seclists Exploit","url":"http://seclists.org/fulldisclosure/2019/May/10"}},{"id":"apache-msg-r7aac081cbddb6baa24b75e74abf0929bf309b176755a53e3ed810355","source":{"name":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r7aac081cbddb6baa24b75e74abf0929bf309b176755a53e3ed810355@%3Cdev.flink.apache.org%3E"}},{"id":"ntap-20190919-0001","source":{"name":"NetApp Advisory","url":"https://security.netapp.com/advisory/ntap-20190919-0001"}},{"id":"apache-msg-r41b5bfe009c845f67d4f68948cc9419ac2d62e287804aafd72892b08","source":{"name":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r41b5bfe009c845f67d4f68948cc9419ac2d62e287804aafd72892b08@%3Cissues.flink.apache.org%3E"}},{"id":"cpuapr2020","source":{"name":"Oracle Advisory","url":"https://www.oracle.com/security-alerts/cpuapr2020.html"}},{"id":"apache-msg-bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3","source":{"name":"Apache Mailing List","url":"https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3E"}},{"id":"CVE-2019-11358","source":{"name":"GitHub Advisory","url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/jquery-rails/CVE-2019-11358.yml"}},{"id":"packetstormsecurity-exploit-dotCMS-5.1.1-Vulnerable-Dependencies.html","source":{"name":"Packetstormsecurity Exploit","url":"http://packetstormsecurity.com/files/152787/dotCMS-5.1.1-Vulnerable-Dependencies.html"}}],"source":{"name":"NVD","url":"https://nvd.nist.gov/vuln/detail/CVE-2019-11358"},"updated":"2024-11-05T20:22:31"},{"advisories":[{"title":"GitHub Advisory GHSA-68w8-qjq3-2gfm","url":"https://github.com/advisories/GHSA-68w8-qjq3-2gfm"},{"title":"GitHub Advisory PYSEC-2021-98","url":"https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2021-98.yaml"},{"title":"NetApp Advisory ntap-20210727-0004","url":"https://security.netapp.com/advisory/ntap-20210727-0004"},{"title":"CVE-2021-33203","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-33203"}],"affects":[{"ref":"pkg:pypi/django@2.1.7","versions":[{"range":"vers:pypi/>=1.0.1|<=2.2rc1","status":"affected"},{"status":"unaffected","version":"2.2.24"}]}],"analysis":{},"bom-ref":"CVE-2021-33203/pkg:pypi/django@2.1.7","cwes":[22],"description":"Path Traversal in Django","detail":"# Path Traversal in Django Django before 2.2.24, 3.x before 3.1.12, and 3.2.x before 3.2.4 has a potential directory traversal via django.contrib.admindocs. Staff members could use the TemplateDetailView view to check the existence of arbitrary files. Additionally, if (and only if) the default admindocs templates have been customized by application developers to also show file contents, then not only the existence but also the file contents would have been exposed. In other words, there is directory traversal outside of the template root directories. ## Related CVE(s) BIT-django-2021-33203, CVE-2021-33203, PYSEC-2021-98","id":"CVE-2021-33203","properties":[{"name":"depscan:prioritized","value":"false"}],"published":"2021-06-10T17:21:00","ratings":[{"method":"CVSSv31","score":4.9,"severity":"medium","vector":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N"}],"recommendation":"Update to version 2.2.24 to resolve CVE-2021-33203 or update to version 3.2.15 to resolve additional vulnerabilities for this package.","references":[{"id":"fedoraproject-msg-B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV","source":{"name":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV"}},{"id":"GHSA-68w8-qjq3-2gfm","source":{"name":"GitHub Advisory","url":"https://github.com/advisories/GHSA-68w8-qjq3-2gfm"}},{"id":"PYSEC-2021-98","source":{"name":"GitHub Advisory","url":"https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2021-98.yaml"}},{"id":"google-msg-django-announce","source":{"name":"Google Mailing List","url":"https://groups.google.com/forum/#!forum/django-announce"}},{"id":"ntap-20210727-0004","source":{"name":"NetApp Advisory","url":"https://security.netapp.com/advisory/ntap-20210727-0004"}},{"id":"CVE-2021-33203","source":{"name":"NVD","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-33203"}}],"source":{"name":"NVD","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-33203"},"updated":"2024-09-20T15:46:52"},{"advisories":[{"title":"GitHub Advisory GHSA-6c7v-2f49-8h26","url":"https://github.com/advisories/GHSA-6c7v-2f49-8h26"},{"title":"CVE-2019-12781","url":"https://nvd.nist.gov/vuln/detail/CVE-2019-12781"},{"title":"NetApp Advisory ntap-20190705-0002","url":"https://security.netapp.com/advisory/ntap-20190705-0002"},{"title":"Debian Advisory dsa-4476","url":"https://www.debian.org/security/2019/dsa-4476"},{"title":"GitHub Advisory PYSEC-2019-10","url":"https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2019-10.yaml"}],"affects":[{"ref":"pkg:pypi/django@2.1.7","versions":[{"range":"vers:pypi/>=2.1|<2.1.10","status":"affected"},{"status":"unaffected","version":"2.1.10"}]}],"analysis":{},"bom-ref":"CVE-2019-12781/pkg:pypi/django@2.1.7","cwes":[319],"description":"Django Incorrect HTTP detection with reverse-proxy connecting via HTTPS","detail":"# Django Incorrect HTTP detection with reverse-proxy connecting via HTTPS An issue was discovered in Django 1.11 before 1.11.22, 2.1 before 2.1.10, and 2.2 before 2.2.3. An HTTP request is not redirected to HTTPS when the SECURE_PROXY_SSL_HEADER and SECURE_SSL_REDIRECT settings are used, and the proxy connects to Django via HTTPS. In other words, django.http.HttpRequest.scheme has incorrect behavior when a client uses HTTP. ## Related CVE(s) CVE-2019-12781, PYSEC-2019-10","id":"CVE-2019-12781","properties":[{"name":"depscan:prioritized","value":"true"},{"name":"depscan:insights","value":"Known Exploits"}],"published":"2019-07-03T20:37:25","ratings":[{"method":"CVSSv3","score":5.3,"severity":"medium","vector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}],"recommendation":"Update to version 2.1.10 to resolve CVE-2019-12781 or update to version 3.2.15 to resolve additional vulnerabilities for this package.","references":[{"id":"google-msg-Is4kLY9ZcZQ","source":{"name":"Google Mailing List","url":"https://groups.google.com/forum/#!topic/django-announce/Is4kLY9ZcZQ"}},{"id":"GHSA-6c7v-2f49-8h26","source":{"name":"GitHub Advisory","url":"https://github.com/advisories/GHSA-6c7v-2f49-8h26"}},{"id":"opensuse-msg-msg00006","source":{"name":"Open Suse Mailing List","url":"http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00006.html"}},{"id":"opensuse-msg-msg00025","source":{"name":"Open Suse Mailing List","url":"http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00025.html"}},{"id":"CVE-2019-12781","source":{"name":"NVD","url":"https://nvd.nist.gov/vuln/detail/CVE-2019-12781"}},{"id":"ntap-20190705-0002","source":{"name":"NetApp Advisory","url":"https://security.netapp.com/advisory/ntap-20190705-0002"}},{"id":"dsa-4476","source":{"name":"Debian Advisory","url":"https://www.debian.org/security/2019/dsa-4476"}},{"id":"openwall-oss-security-msg-2019-07-01-3","source":{"name":"Openwall Mailing List","url":"http://www.openwall.com/lists/oss-security/2019/07/01/3"}},{"id":"seclists-exploit-bugtraq/2019/Jul/10","source":{"name":"Seclists Exploit","url":"https://seclists.org/bugtraq/2019/Jul/10"}},{"id":"fedoraproject-msg-5VXXWIOQGXOB7JCGJ3CVUW673LDHKEYL","source":{"name":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5VXXWIOQGXOB7JCGJ3CVUW673LDHKEYL"}},{"id":"PYSEC-2019-10","source":{"name":"GitHub Advisory","url":"https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2019-10.yaml"}}],"source":{"name":"NVD","url":"https://nvd.nist.gov/vuln/detail/CVE-2019-12781"},"updated":"2024-09-18T16:26:02"},{"advisories":[{"title":"GitHub Advisory GHSA-6r97-cj55-9hrq","url":"https://github.com/advisories/GHSA-6r97-cj55-9hrq"},{"title":"GitHub Advisory PYSEC-2019-13","url":"https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2019-13.yaml"},{"title":"Gentoo Advisory glsa-202004-17","url":"https://security.gentoo.org/glsa/202004-17"},{"title":"Debian Advisory dsa-4498","url":"https://www.debian.org/security/2019/dsa-4498"},{"title":"CVE-2019-14234","url":"https://nvd.nist.gov/vuln/detail/CVE-2019-14234"},{"title":"NetApp Advisory ntap-20190828-0002","url":"https://security.netapp.com/advisory/ntap-20190828-0002"}],"affects":[{"ref":"pkg:pypi/django@2.1.7","versions":[{"range":"vers:pypi/>=2.1a1|<2.1.11","status":"affected"},{"status":"unaffected","version":"2.1.11"}]}],"analysis":{},"bom-ref":"CVE-2019-14234/pkg:pypi/django@2.1.7","cwes":[89],"description":"SQL Injection in Django","detail":"# SQL Injection in Django An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to an error in shallow key transformation, key and index lookups for django.contrib.postgres.fields.JSONField, and key lookups for django.contrib.postgres.fields.HStoreField, were subject to SQL injection. This could, for example, be exploited via crafted use of \"OR 1=1\" in a key or index name to return all records, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to the QuerySet.filter() function. ## Related CVE(s) CVE-2019-14234, PYSEC-2019-13","id":"CVE-2019-14234","properties":[{"name":"depscan:prioritized","value":"true"},{"name":"depscan:insights","value":"Known Exploits"}],"published":"2019-08-16T14:00:34","ratings":[{"method":"CVSSv3","score":9.8,"severity":"critical","vector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"recommendation":"Update to version 2.1.11 to resolve CVE-2019-14234 or update to version 3.2.15 to resolve additional vulnerabilities for this package.","references":[{"id":"GHSA-6r97-cj55-9hrq","source":{"name":"GitHub Advisory","url":"https://github.com/advisories/GHSA-6r97-cj55-9hrq"}},{"id":"PYSEC-2019-13","source":{"name":"GitHub Advisory","url":"https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2019-13.yaml"}},{"id":"glsa-202004-17","source":{"name":"Gentoo Advisory","url":"https://security.gentoo.org/glsa/202004-17"}},{"id":"opensuse-msg-msg00025","source":{"name":"Open Suse Mailing List","url":"http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00025.html"}},{"id":"dsa-4498","source":{"name":"Debian Advisory","url":"https://www.debian.org/security/2019/dsa-4498"}},{"id":"google-msg-jIoju2-KLDs","source":{"name":"Google Mailing List","url":"https://groups.google.com/forum/#!topic/django-announce/jIoju2-KLDs"}},{"id":"CVE-2019-14234","source":{"name":"NVD","url":"https://nvd.nist.gov/vuln/detail/CVE-2019-14234"}},{"id":"ntap-20190828-0002","source":{"name":"NetApp Advisory","url":"https://security.netapp.com/advisory/ntap-20190828-0002"}},{"id":"seclists-exploit-bugtraq/2019/Aug/15","source":{"name":"Seclists Exploit","url":"https://seclists.org/bugtraq/2019/Aug/15"}},{"id":"fedoraproject-msg-STVX7X7IDWAH5SKE6MBMY3TEI6ZODBTK","source":{"name":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/STVX7X7IDWAH5SKE6MBMY3TEI6ZODBTK"}}],"source":{"name":"NVD","url":"https://nvd.nist.gov/vuln/detail/CVE-2019-14234"},"updated":"2024-09-20T16:25:00"},{"advisories":[{"title":"GitHub Advisory GHSA-7rp2-fm2h-wchj","url":"https://github.com/advisories/GHSA-7rp2-fm2h-wchj"},{"title":"Gentoo Advisory glsa-202004-17","url":"https://security.gentoo.org/glsa/202004-17"},{"title":"GitHub Advisory PYSEC-2019-79","url":"https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2019-79.yaml"},{"title":"CVE-2019-12308","url":"https://nvd.nist.gov/vuln/detail/CVE-2019-12308"},{"title":"Debian Advisory dsa-4476","url":"https://www.debian.org/security/2019/dsa-4476"}],"affects":[{"ref":"pkg:pypi/django@2.1.7","versions":[{"range":"vers:pypi/>=2.1a1|<2.1.9","status":"affected"},{"status":"unaffected","version":"2.1.9"}]}],"analysis":{},"bom-ref":"CVE-2019-12308/pkg:pypi/django@2.1.7","cwes":[79],"description":"Django Cross-site Scripting in AdminURLFieldWidget","detail":"# Django Cross-site Scripting in AdminURLFieldWidget An issue was discovered in Django 1.11 before 1.11.21, 2.1 before 2.1.9, and 2.2 before 2.2.2. The clickable Current URL value displayed by the AdminURLFieldWidget displays the provided value without validating it as a safe URL. Thus, an unvalidated value stored in the database, or a value provided as a URL query parameter payload, could result in an clickable JavaScript link. ## Related CVE(s) CVE-2019-12308, PYSEC-2019-79","id":"CVE-2019-12308","properties":[{"name":"depscan:prioritized","value":"true"},{"name":"depscan:insights","value":"Known Exploits"}],"published":"2019-06-10T18:43:25","ratings":[{"method":"CVSSv3","score":6.1,"severity":"medium","vector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}],"recommendation":"Update to version 2.1.9 to resolve CVE-2019-12308 or update to version 3.2.15 to resolve additional vulnerabilities for this package.","references":[{"id":"seclists-exploit-bugtraq/2019/Jul/10","source":{"name":"Seclists Exploit","url":"https://seclists.org/bugtraq/2019/Jul/10"}},{"id":"google-msg-GEbHU7YoVz8","source":{"name":"Google Mailing List","url":"https://groups.google.com/forum/#!topic/django-announce/GEbHU7YoVz8"}},{"id":"GHSA-7rp2-fm2h-wchj","source":{"name":"GitHub Advisory","url":"https://github.com/advisories/GHSA-7rp2-fm2h-wchj"}},{"id":"openwall-oss-security-msg-2019-06-03-2","source":{"name":"Openwall Mailing List","url":"http://www.openwall.com/lists/oss-security/2019/06/03/2"}},{"id":"glsa-202004-17","source":{"name":"Gentoo Advisory","url":"https://security.gentoo.org/glsa/202004-17"}},{"id":"opensuse-msg-msg00025","source":{"name":"Open Suse Mailing List","url":"http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00025.html"}},{"id":"PYSEC-2019-79","source":{"name":"GitHub Advisory","url":"https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2019-79.yaml"}},{"id":"CVE-2019-12308","source":{"name":"NVD","url":"https://nvd.nist.gov/vuln/detail/CVE-2019-12308"}},{"id":"fedoraproject-msg-USYRARSYB7PE3S2ZQO7PZNWMH7RPGL5G","source":{"name":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/USYRARSYB7PE3S2ZQO7PZNWMH7RPGL5G"}},{"id":"opensuse-msg-msg00006","source":{"name":"Open Suse Mailing List","url":"http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00006.html"}},{"id":"debian-msg-msg00001","source":{"name":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2019/06/msg00001.html"}},{"id":"debian-msg-msg00001","source":{"name":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2019/07/msg00001.html"}},{"id":"dsa-4476","source":{"name":"Debian Advisory","url":"https://www.debian.org/security/2019/dsa-4476"}}],"source":{"name":"NVD","url":"https://nvd.nist.gov/vuln/detail/CVE-2019-12308"},"updated":"2024-09-20T16:09:01"},{"advisories":[{"title":"GitHub Advisory PYSEC-2022-245","url":"https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2022-245.yaml"},{"title":"Debian Advisory dsa-5254","url":"https://www.debian.org/security/2022/dsa-5254"},{"title":"CVE-2022-36359","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-36359"},{"title":"NetApp Advisory ntap-20220915-0008","url":"https://security.netapp.com/advisory/ntap-20220915-0008"}],"affects":[{"ref":"pkg:pypi/django@2.1.7","versions":[{"range":"vers:pypi/>=1.0.1|<=3.2rc1","status":"affected"},{"status":"unaffected","version":"3.2.15"}]}],"analysis":{},"bom-ref":"CVE-2022-36359/pkg:pypi/django@2.1.7","cwes":[494],"description":"Django vulnerable to Reflected File Download attack ","detail":"# Django vulnerable to Reflected File Download attack An issue was discovered in the HTTP FileResponse class in Django 3.2 before 3.2.15 and 4.0 before 4.0.7. An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a FileResponse when the filename is derived from user-supplied input. ## Related CVE(s) BIT-django-2022-36359, CVE-2022-36359, CVE-2022-45442, GHSA-2x8x-jmrp-phxw, PYSEC-2022-245","id":"CVE-2022-36359","properties":[{"name":"depscan:prioritized","value":"false"}],"published":"2022-08-11T14:49:12","ratings":[{"method":"CVSSv31","score":8.8,"severity":"high","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}],"recommendation":"Update to version 3.2.15.","references":[{"id":"fedoraproject-msg-LTZVAKU5ALQWOKFTPISE257VCVIYGFQI","source":{"name":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LTZVAKU5ALQWOKFTPISE257VCVIYGFQI"}},{"id":"openwall-oss-security-msg-2022-08-03-1","source":{"name":"Openwall Mailing List","url":"http://www.openwall.com/lists/oss-security/2022/08/03/1"}},{"id":"PYSEC-2022-245","source":{"name":"GitHub Advisory","url":"https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2022-245.yaml"}},{"id":"dsa-5254","source":{"name":"Debian Advisory","url":"https://www.debian.org/security/2022/dsa-5254"}},{"id":"google-msg-8cz--gvaJr4","source":{"name":"Google Mailing List","url":"https://groups.google.com/g/django-announce/c/8cz--gvaJr4"}},{"id":"CVE-2022-36359","source":{"name":"NVD","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-36359"}},{"id":"ntap-20220915-0008","source":{"name":"NetApp Advisory","url":"https://security.netapp.com/advisory/ntap-20220915-0008"}},{"id":"fedoraproject-msg-HWY6DQWRVBALV73BPUVBXC3QIYUM24IK","source":{"name":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HWY6DQWRVBALV73BPUVBXC3QIYUM24IK"}}],"source":{"name":"NVD","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-36359"},"updated":"2024-09-03T15:21:46"},{"advisories":[{"title":"GitHub Advisory PYSEC-2019-11","url":"https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2019-11.yaml"},{"title":"GitHub Advisory GHSA-c4qh-4vgv-qc6g","url":"https://github.com/advisories/GHSA-c4qh-4vgv-qc6g"},{"title":"Gentoo Advisory glsa-202004-17","url":"https://security.gentoo.org/glsa/202004-17"},{"title":"GitHub Advisory PYSEC-2019-11","url":"https://github.com/pypa/advisory-db/tree/main/vulns/django/PYSEC-2019-11.yaml"},{"title":"Debian Advisory dsa-4498","url":"https://www.debian.org/security/2019/dsa-4498"},{"title":"CVE-2019-14232","url":"https://nvd.nist.gov/vuln/detail/CVE-2019-14232"},{"title":"NetApp Advisory ntap-20190828-0002","url":"https://security.netapp.com/advisory/ntap-20190828-0002"}],"affects":[{"ref":"pkg:pypi/django@2.1.7","versions":[{"range":"vers:pypi/>=2.1a1|<2.1.11","status":"affected"},{"status":"unaffected","version":"2.1.11"}]}],"analysis":{},"bom-ref":"CVE-2019-14232/pkg:pypi/django@2.1.7","cwes":[400],"description":"Django Denial-of-service in django.utils.text.Truncator","detail":"# Django Denial-of-service in django.utils.text.Truncator An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If `django.utils.text.Truncator`'s `chars()` and `words()` methods were passed the `html=True` argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The `chars()` and `words()` methods are used to implement the `truncatechars_htm`l and `truncatewords_html` template filters, which were thus vulnerable. ## Related CVE(s) CVE-2019-14232, PYSEC-2019-11","id":"CVE-2019-14232","properties":[{"name":"depscan:prioritized","value":"true"},{"name":"depscan:insights","value":"Known Exploits"}],"published":"2019-08-06T01:43:29","ratings":[{"method":"CVSSv31","score":7.5,"severity":"high","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"recommendation":"Update to version 2.1.11 to resolve CVE-2019-14232 or update to version 3.2.15 to resolve additional vulnerabilities for this package.","references":[{"id":"opensuse-msg-3LGJSPCN3VEG2UJPYCUB6TU75JTIV2TQ","source":{"name":"Open Suse Mailing List","url":"https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/3LGJSPCN3VEG2UJPYCUB6TU75JTIV2TQ"}},{"id":"PYSEC-2019-11","source":{"name":"GitHub Advisory","url":"https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2019-11.yaml"}},{"id":"openwall-oss-security-msg-2024-03-04-1","source":{"name":"Openwall Mailing List","url":"http://www.openwall.com/lists/oss-security/2024/03/04/1"}},{"id":"GHSA-c4qh-4vgv-qc6g","source":{"name":"GitHub Advisory","url":"https://github.com/advisories/GHSA-c4qh-4vgv-qc6g"}},{"id":"glsa-202004-17","source":{"name":"Gentoo Advisory","url":"https://security.gentoo.org/glsa/202004-17"}},{"id":"opensuse-msg-msg00025","source":{"name":"Open Suse Mailing List","url":"http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00025.html"}},{"id":"fedoraproject-msg-STVX7X7IDWAH5SKE6MBMY3TEI6ZODBTK","source":{"name":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/STVX7X7IDWAH5SKE6MBMY3TEI6ZODBTK"}},{"id":"PYSEC-2019-11","source":{"name":"GitHub Advisory","url":"https://github.com/pypa/advisory-db/tree/main/vulns/django/PYSEC-2019-11.yaml"}},{"id":"fedoraproject-msg-STVX7X7IDWAH5SKE6MBMY3TEI6ZODBTK","source":{"name":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/STVX7X7IDWAH5SKE6MBMY3TEI6ZODBTK"}},{"id":"opensuse-msg-msg00006","source":{"name":"Open Suse Mailing List","url":"http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00006.html"}},{"id":"opensuse-msg-5XTP44JEOSNXRVW4JDZXA5XGMBDZLWSW","source":{"name":"Open Suse Mailing List","url":"https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/5XTP44JEOSNXRVW4JDZXA5XGMBDZLWSW"}},{"id":"dsa-4498","source":{"name":"Debian Advisory","url":"https://www.debian.org/security/2019/dsa-4498"}},{"id":"google-msg-jIoju2-KLDs","source":{"name":"Google Mailing List","url":"https://groups.google.com/forum/#!topic/django-announce/jIoju2-KLDs"}},{"id":"CVE-2019-14232","source":{"name":"NVD","url":"https://nvd.nist.gov/vuln/detail/CVE-2019-14232"}},{"id":"openwall-oss-security-msg-2023-10-04-6","source":{"name":"Openwall Mailing List","url":"https://www.openwall.com/lists/oss-security/2023/10/04/6"}},{"id":"ntap-20190828-0002","source":{"name":"NetApp Advisory","url":"https://security.netapp.com/advisory/ntap-20190828-0002"}},{"id":"openwall-oss-security-msg-2023-10-04-6","source":{"name":"Openwall Mailing List","url":"http://www.openwall.com/lists/oss-security/2023/10/04/6"}},{"id":"seclists-exploit-bugtraq/2019/Aug/15","source":{"name":"Seclists Exploit","url":"https://seclists.org/bugtraq/2019/Aug/15"}},{"id":"google-msg-jIoju2-KLDs","source":{"name":"Google Mailing List","url":"https://groups.google.com/forum/#%21topic/django-announce/jIoju2-KLDs"}}],"source":{"name":"NVD","url":"https://nvd.nist.gov/vuln/detail/CVE-2019-14232"},"updated":"2024-09-20T16:24:57"},{"advisories":[{"title":"CVE-2019-14233","url":"https://nvd.nist.gov/vuln/detail/CVE-2019-14233"},{"title":"Gentoo Advisory glsa-202004-17","url":"https://security.gentoo.org/glsa/202004-17"},{"title":"Debian Advisory dsa-4498","url":"https://www.debian.org/security/2019/dsa-4498"},{"title":"GitHub Advisory GHSA-h5jv-4p7w-64jg","url":"https://github.com/advisories/GHSA-h5jv-4p7w-64jg"},{"title":"NetApp Advisory ntap-20190828-0002","url":"https://security.netapp.com/advisory/ntap-20190828-0002"},{"title":"GitHub Advisory PYSEC-2019-12","url":"https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2019-12.yaml"}],"affects":[{"ref":"pkg:pypi/django@2.1.7","versions":[{"range":"vers:pypi/>=2.1a1|<2.1.11","status":"affected"},{"status":"unaffected","version":"2.1.11"}]}],"analysis":{},"bom-ref":"CVE-2019-14233/pkg:pypi/django@2.1.7","cwes":[400],"description":"Django Denial-of-service in strip_tags()","detail":"# Django Denial-of-service in strip_tags() An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to the behaviour of the underlying HTMLParser, django.utils.html.strip_tags would be extremely slow to evaluate certain inputs containing large sequences of nested incomplete HTML entities. ## Related CVE(s) CVE-2019-14233, PYSEC-2019-12","id":"CVE-2019-14233","properties":[{"name":"depscan:prioritized","value":"true"},{"name":"depscan:insights","value":"Known Exploits"}],"published":"2019-08-06T01:43:33","ratings":[{"method":"CVSSv3","score":7.5,"severity":"high","vector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"recommendation":"Update to version 2.1.11 to resolve CVE-2019-14233 or update to version 3.2.15 to resolve additional vulnerabilities for this package.","references":[{"id":"CVE-2019-14233","source":{"name":"NVD","url":"https://nvd.nist.gov/vuln/detail/CVE-2019-14233"}},{"id":"glsa-202004-17","source":{"name":"Gentoo Advisory","url":"https://security.gentoo.org/glsa/202004-17"}},{"id":"opensuse-msg-msg00006","source":{"name":"Open Suse Mailing List","url":"http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00006.html"}},{"id":"opensuse-msg-msg00025","source":{"name":"Open Suse Mailing List","url":"http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00025.html"}},{"id":"dsa-4498","source":{"name":"Debian Advisory","url":"https://www.debian.org/security/2019/dsa-4498"}},{"id":"GHSA-h5jv-4p7w-64jg","source":{"name":"GitHub Advisory","url":"https://github.com/advisories/GHSA-h5jv-4p7w-64jg"}},{"id":"google-msg-jIoju2-KLDs","source":{"name":"Google Mailing List","url":"https://groups.google.com/forum/#!topic/django-announce/jIoju2-KLDs"}},{"id":"seclists-exploit-bugtraq/2019/Aug/15","source":{"name":"Seclists Exploit","url":"https://seclists.org/bugtraq/2019/Aug/15"}},{"id":"ntap-20190828-0002","source":{"name":"NetApp Advisory","url":"https://security.netapp.com/advisory/ntap-20190828-0002"}},{"id":"PYSEC-2019-12","source":{"name":"GitHub Advisory","url":"https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2019-12.yaml"}},{"id":"fedoraproject-msg-STVX7X7IDWAH5SKE6MBMY3TEI6ZODBTK","source":{"name":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/STVX7X7IDWAH5SKE6MBMY3TEI6ZODBTK"}}],"source":{"name":"NVD","url":"https://nvd.nist.gov/vuln/detail/CVE-2019-14233"},"updated":"2024-09-20T16:35:22"},{"advisories":[{"title":"CVE-2020-7471","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-7471"},{"title":"Gentoo Advisory glsa-202004-17","url":"https://security.gentoo.org/glsa/202004-17"},{"title":"GitHub Advisory PYSEC-2020-35","url":"https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2020-35.yaml"},{"title":"NetApp Advisory ntap-20200221-0006","url":"https://security.netapp.com/advisory/ntap-20200221-0006"},{"title":"Debian Advisory dsa-4629","url":"https://www.debian.org/security/2020/dsa-4629"},{"title":"GitHub Advisory GHSA-hmr4-m2h5-33qx","url":"https://github.com/advisories/GHSA-hmr4-m2h5-33qx"}],"affects":[{"ref":"pkg:pypi/django@2.1.7","versions":[{"range":"vers:pypi/>=2.0|<2.2.10","status":"affected"},{"status":"unaffected","version":"2.2.10"}]}],"analysis":{},"bom-ref":"CVE-2020-7471/pkg:pypi/django@2.1.7","cwes":[89],"description":"SQL injection in Django","detail":"# SQL injection in Django Django 1.11 before 1.11.28, 2.2 before 2.2.10, and 3.0 before 3.0.3 allows SQL Injection if untrusted data is used as a StringAgg delimiter (e.g., in Django applications that offer downloads of data as a series of rows with a user-specified column delimiter). By passing a suitably crafted delimiter to a contrib.postgres.aggregates.StringAgg instance, it was possible to break escaping and inject malicious SQL. ## Related CVE(s) BIT-django-2020-7471, CVE-2020-7471, PYSEC-2020-35","id":"CVE-2020-7471","properties":[{"name":"depscan:prioritized","value":"true"},{"name":"depscan:insights","value":"Known Exploits"}],"published":"2020-02-11T21:03:20","ratings":[{"method":"CVSSv31","score":9.8,"severity":"critical","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"recommendation":"Update to version 2.2.10 to resolve CVE-2020-7471 or update to version 3.2.15 to resolve additional vulnerabilities for this package.","references":[{"id":"CVE-2020-7471","source":{"name":"NVD","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-7471"}},{"id":"fedoraproject-msg-4A2AP4T7RKPBCLTI2NNQG3T6MINDUUMZ","source":{"name":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4A2AP4T7RKPBCLTI2NNQG3T6MINDUUMZ"}},{"id":"glsa-202004-17","source":{"name":"Gentoo Advisory","url":"https://security.gentoo.org/glsa/202004-17"}},{"id":"google-msg-X45S86X5bZI","source":{"name":"Google Mailing List","url":"https://groups.google.com/forum/#!topic/django-announce/X45S86X5bZI"}},{"id":"PYSEC-2020-35","source":{"name":"GitHub Advisory","url":"https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2020-35.yaml"}},{"id":"ntap-20200221-0006","source":{"name":"NetApp Advisory","url":"https://security.netapp.com/advisory/ntap-20200221-0006"}},{"id":"openwall-oss-security-msg-2020-02-03-1","source":{"name":"Openwall Mailing List","url":"http://www.openwall.com/lists/oss-security/2020/02/03/1"}},{"id":"seclists-exploit-bugtraq/2020/Feb/30","source":{"name":"Seclists Exploit","url":"https://seclists.org/bugtraq/2020/Feb/30"}},{"id":"dsa-4629","source":{"name":"Debian Advisory","url":"https://www.debian.org/security/2020/dsa-4629"}},{"id":"GHSA-hmr4-m2h5-33qx","source":{"name":"GitHub Advisory","url":"https://github.com/advisories/GHSA-hmr4-m2h5-33qx"}},{"id":"openwall-oss-security-msg-2020-02-03-1","source":{"name":"Openwall Mailing List","url":"https://www.openwall.com/lists/oss-security/2020/02/03/1"}}],"source":{"name":"NVD","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-7471"},"updated":"2024-09-20T15:23:48"},{"advisories":[{"title":"GitHub Advisory GHSA-hvmf-r92r-27hr","url":"https://github.com/advisories/GHSA-hvmf-r92r-27hr"},{"title":"Gentoo Advisory glsa-202004-17","url":"https://security.gentoo.org/glsa/202004-17"},{"title":"GitHub Advisory PYSEC-2019-15","url":"https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2019-15.yaml"},{"title":"CVE-2019-19118","url":"https://nvd.nist.gov/vuln/detail/CVE-2019-19118"},{"title":"NetApp Advisory ntap-20191217-0003","url":"https://security.netapp.com/advisory/ntap-20191217-0003"}],"affects":[{"ref":"pkg:pypi/django@2.1.7","versions":[{"range":"vers:pypi/>=2.1|<2.1.15","status":"affected"},{"status":"unaffected","version":"2.1.15"}]}],"analysis":{},"bom-ref":"CVE-2019-19118/pkg:pypi/django@2.1.7","cwes":[276],"description":"Django allows unintended model editing","detail":"# Django allows unintended model editing Django 2.1 before 2.1.15 and 2.2 before 2.2.8 allows unintended model editing. A Django model admin displaying inline related models, where the user has view-only permissions to a parent model but edit permissions to the inline model, would be presented with an editing UI, allowing POST requests, for updating the inline model. Directly editing the view-only parent model was not possible, but the parent model's save() method was called, triggering potential side effects, and causing pre and post-save signal handlers to be invoked. (To resolve this, the Django admin is adjusted to require edit permissions on the parent model in order for inline models to be editable.) ## Related CVE(s) CVE-2019-19118, PYSEC-2019-15","id":"CVE-2019-19118","properties":[{"name":"depscan:prioritized","value":"false"}],"published":"2019-12-04T21:26:28","ratings":[{"method":"CVSSv31","score":6.5,"severity":"medium","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"}],"recommendation":"Update to version 2.1.15 to resolve CVE-2019-19118 or update to version 3.2.15 to resolve additional vulnerabilities for this package.","references":[{"id":"GHSA-hvmf-r92r-27hr","source":{"name":"GitHub Advisory","url":"https://github.com/advisories/GHSA-hvmf-r92r-27hr"}},{"id":"glsa-202004-17","source":{"name":"Gentoo Advisory","url":"https://security.gentoo.org/glsa/202004-17"}},{"id":"PYSEC-2019-15","source":{"name":"GitHub Advisory","url":"https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2019-15.yaml"}},{"id":"CVE-2019-19118","source":{"name":"NVD","url":"https://nvd.nist.gov/vuln/detail/CVE-2019-19118"}},{"id":"fedoraproject-msg-6R4HD22PVEVQ45H2JA2NXH443AYJOPL5","source":{"name":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6R4HD22PVEVQ45H2JA2NXH443AYJOPL5"}},{"id":"ntap-20191217-0003","source":{"name":"NetApp Advisory","url":"https://security.netapp.com/advisory/ntap-20191217-0003"}},{"id":"google-msg-GjGqDvtNmWQ","source":{"name":"Google Mailing List","url":"https://groups.google.com/forum/#!topic/django-announce/GjGqDvtNmWQ"}},{"id":"openwall-oss-security-msg-2019-12-02-1","source":{"name":"Openwall Mailing List","url":"http://www.openwall.com/lists/oss-security/2019/12/02/1"}}],"source":{"name":"NVD","url":"https://nvd.nist.gov/vuln/detail/CVE-2019-19118"},"updated":"2024-09-20T15:01:15"},{"advisories":[{"title":"CVE-2024-45231","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-45231"}],"affects":[{"ref":"pkg:pypi/django@2.1.7","versions":[{"range":"vers:pypi/>=1.0.1|<=4.2rc1","status":"affected"}]}],"analysis":{},"bom-ref":"CVE-2024-45231/pkg:pypi/django@2.1.7","cwes":[203,204],"description":"Django allows enumeration of user e-mail addresses","detail":"# Django allows enumeration of user e-mail addresses An issue was discovered in Django v5.1.1, v5.0.9, and v4.2.16. The django.contrib.auth.forms.PasswordResetForm class, when used in a view implementing password reset flows, allows remote attackers to enumerate user e-mail addresses by sending password reset requests and observing the outcome (only when e-mail sending is consistently failing). ## Related CVE(s) BIT-django-2024-45231, CVE-2024-45231","id":"CVE-2024-45231","properties":[{"name":"depscan:prioritized","value":"false"}],"published":"2024-10-08T18:33:13","ratings":[{"method":"CVSSv31","score":3.7,"severity":"low","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"}],"recommendation":"No recommendation found for CVE-2024-45231. Updating to version 3.2.15 is recommended nonetheless in order to address additional vulnerabilities identified for this package.","references":[{"id":"CVE-2024-45231","source":{"name":"NVD","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-45231"}},{"id":"google-msg-django-announce","source":{"name":"Google Mailing List","url":"https://groups.google.com/forum/#%21forum/django-announce"}}],"source":{"name":"NVD","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-45231"},"updated":"2024-10-30T19:23:59"},{"advisories":[{"title":"Gentoo Advisory glsa-202004-17","url":"https://security.gentoo.org/glsa/202004-17"},{"title":"Debian Advisory dsa-4498","url":"https://www.debian.org/security/2019/dsa-4498"},{"title":"CVE-2019-14235","url":"https://nvd.nist.gov/vuln/detail/CVE-2019-14235"},{"title":"NetApp Advisory ntap-20190828-0002","url":"https://security.netapp.com/advisory/ntap-20190828-0002"},{"title":"GitHub Advisory GHSA-v9qg-3j8p-r63v","url":"https://github.com/advisories/GHSA-v9qg-3j8p-r63v"},{"title":"GitHub Advisory PYSEC-2019-14","url":"https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2019-14.yaml"}],"affects":[{"ref":"pkg:pypi/django@2.1.7","versions":[{"range":"vers:pypi/>=2.1a1|<2.1.11","status":"affected"},{"status":"unaffected","version":"2.1.11"}]}],"analysis":{},"bom-ref":"CVE-2019-14235/pkg:pypi/django@2.1.7","cwes":[674],"description":"Uncontrolled Recursion in Django","detail":"# Uncontrolled Recursion in Django An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If passed certain inputs, django.utils.encoding.uri_to_iri could lead to significant memory usage due to a recursion when repercent-encoding invalid UTF-8 octet sequences. ## Related CVE(s) CVE-2019-14235, PYSEC-2019-14","id":"CVE-2019-14235","properties":[{"name":"depscan:prioritized","value":"true"},{"name":"depscan:insights","value":"Known Exploits"}],"published":"2019-08-06T01:43:31","ratings":[{"method":"CVSSv3","score":7.5,"severity":"high","vector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"recommendation":"Update to version 2.1.11 to resolve CVE-2019-14235 or update to version 3.2.15 to resolve additional vulnerabilities for this package.","references":[{"id":"glsa-202004-17","source":{"name":"Gentoo Advisory","url":"https://security.gentoo.org/glsa/202004-17"}},{"id":"opensuse-msg-msg00006","source":{"name":"Open Suse Mailing List","url":"http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00006.html"}},{"id":"opensuse-msg-msg00025","source":{"name":"Open Suse Mailing List","url":"http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00025.html"}},{"id":"fedoraproject-msg-STVX7X7IDWAH5SKE6MBMY3TEI6ZODBTK","source":{"name":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/STVX7X7IDWAH5SKE6MBMY3TEI6ZODBTK"}},{"id":"dsa-4498","source":{"name":"Debian Advisory","url":"https://www.debian.org/security/2019/dsa-4498"}},{"id":"google-msg-jIoju2-KLDs","source":{"name":"Google Mailing List","url":"https://groups.google.com/forum/#!topic/django-announce/jIoju2-KLDs"}},{"id":"CVE-2019-14235","source":{"name":"NVD","url":"https://nvd.nist.gov/vuln/detail/CVE-2019-14235"}},{"id":"ntap-20190828-0002","source":{"name":"NetApp Advisory","url":"https://security.netapp.com/advisory/ntap-20190828-0002"}},{"id":"GHSA-v9qg-3j8p-r63v","source":{"name":"GitHub Advisory","url":"https://github.com/advisories/GHSA-v9qg-3j8p-r63v"}},{"id":"seclists-exploit-bugtraq/2019/Aug/15","source":{"name":"Seclists Exploit","url":"https://seclists.org/bugtraq/2019/Aug/15"}},{"id":"PYSEC-2019-14","source":{"name":"GitHub Advisory","url":"https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2019-14.yaml"}}],"source":{"name":"NVD","url":"https://nvd.nist.gov/vuln/detail/CVE-2019-14235"},"updated":"2024-09-20T16:35:02"},{"advisories":[{"title":"Gentoo Advisory glsa-202004-17","url":"https://security.gentoo.org/glsa/202004-17"},{"title":"GitHub Advisory PYSEC-2019-16","url":"https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2019-16.yaml"},{"title":"Debian Advisory dsa-4598","url":"https://www.debian.org/security/2020/dsa-4598"},{"title":"GitHub Advisory GHSA-vfq6-hq5r-27r6","url":"https://github.com/advisories/GHSA-vfq6-hq5r-27r6"},{"title":"CVE-2019-19844","url":"https://nvd.nist.gov/vuln/detail/CVE-2019-19844"},{"title":"NetApp Advisory ntap-20200110-0003","url":"https://security.netapp.com/advisory/ntap-20200110-0003"}],"affects":[{"ref":"pkg:pypi/django@2.1.7","versions":[{"range":"vers:pypi/>=2.0|<2.2.9","status":"affected"},{"status":"unaffected","version":"2.2.9"}]}],"analysis":{},"bom-ref":"CVE-2019-19844/pkg:pypi/django@2.1.7","cwes":[640],"description":"Django Potential account hijack via password reset form","detail":"# Django Potential account hijack via password reset form Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user's email address after case transformation of Unicode characters) would allow an attacker to be sent a password reset token for the matched user account. (One mitigation in the new releases is to send password reset tokens only to the registered user email address.) ## Related CVE(s) CVE-2019-19844, PYSEC-2019-16","id":"CVE-2019-19844","properties":[{"name":"depscan:prioritized","value":"true"},{"name":"depscan:insights","value":"Known Exploits"}],"published":"2020-01-16T22:35:12","ratings":[{"method":"CVSSv31","score":9.8,"severity":"critical","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"recommendation":"Update to version 2.2.9 to resolve CVE-2019-19844 or update to version 3.2.15 to resolve additional vulnerabilities for this package.","references":[{"id":"glsa-202004-17","source":{"name":"Gentoo Advisory","url":"https://security.gentoo.org/glsa/202004-17"}},{"id":"PYSEC-2019-16","source":{"name":"GitHub Advisory","url":"https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2019-16.yaml"}},{"id":"dsa-4598","source":{"name":"Debian Advisory","url":"https://www.debian.org/security/2020/dsa-4598"}},{"id":"packetstormsecurity-exploit-Django-Account-Hijack.html","source":{"name":"Packetstormsecurity Exploit","url":"http://packetstormsecurity.com/files/155872/Django-Account-Hijack.html"}},{"id":"google-msg-3oaB2rVH3a0","source":{"name":"Google Mailing List","url":"https://groups.google.com/forum/#!topic/django-announce/3oaB2rVH3a0"}},{"id":"GHSA-vfq6-hq5r-27r6","source":{"name":"GitHub Advisory","url":"https://github.com/advisories/GHSA-vfq6-hq5r-27r6"}},{"id":"CVE-2019-19844","source":{"name":"NVD","url":"https://nvd.nist.gov/vuln/detail/CVE-2019-19844"}},{"id":"seclists-exploit-bugtraq/2020/Jan/9","source":{"name":"Seclists Exploit","url":"https://seclists.org/bugtraq/2020/Jan/9"}},{"id":"ntap-20200110-0003","source":{"name":"NetApp Advisory","url":"https://security.netapp.com/advisory/ntap-20200110-0003"}},{"id":"fedoraproject-msg-HCM2DPUI7TOZWN4A6JFQFUVQ2XGE7GUD","source":{"name":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HCM2DPUI7TOZWN4A6JFQFUVQ2XGE7GUD"}}],"source":{"name":"NVD","url":"https://nvd.nist.gov/vuln/detail/CVE-2019-19844"},"updated":"2024-09-20T15:24:05"},{"advisories":[{"title":"Debian Advisory dsa-5496","url":"https://www.debian.org/security/2023/dsa-5496"},{"title":"Gentoo Advisory glsa-202309-05","url":"https://security.gentoo.org/glsa/202309-05"},{"title":"NetApp Advisory ntap-20230929-0011","url":"https://security.netapp.com/advisory/ntap-20230929-0011"},{"title":"CVE-2023-4863","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-4863"},{"title":"Gentoo Advisory glsa-202401-10","url":"https://security.gentoo.org/glsa/202401-10"},{"title":"cve-2023-4863","url":"https://stackdiary.com/critical-vulnerability-in-webp-codec-cve-2023-4863"},{"title":"Rustsec Advisory RUSTSEC-2023-0061","url":"https://rustsec.org/advisories/RUSTSEC-2023-0061.html"},{"title":"Googleblog Advisory stable-channel-update-for-desktop_11","url":"https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_11.html"},{"title":"Debian Advisory dsa-5498","url":"https://www.debian.org/security/2023/dsa-5498"},{"title":"Debian Advisory CVE-2023-4863","url":"https://security-tracker.debian.org/tracker/CVE-2023-4863"},{"title":"Rustsec Advisory RUSTSEC-2023-0060","url":"https://rustsec.org/advisories/RUSTSEC-2023-0060.html"},{"title":"Bleepingcomputer Advisory google-fixes-another-chrome-zero-day-bug-exploited-in-attacks","url":"https://www.bleepingcomputer.com/news/google/google-fixes-another-chrome-zero-day-bug-exploited-in-attacks"},{"title":"Debian Advisory dsa-5497","url":"https://www.debian.org/security/2023/dsa-5497"},{"title":"Microsoft Advisory CVE-2023-4863","url":"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-4863"},{"title":"Mozilla Advisory mfsa2023-40","url":"https://www.mozilla.org/en-US/security/advisories/mfsa2023-40"},{"title":"Bentley Advisory be-2023-0001","url":"https://www.bentley.com/advisories/be-2023-0001"}],"affects":[{"ref":"pkg:pypi/pillow@5.4.1","versions":[{"range":"vers:pypi/>=1.0|<=9.5.0","status":"affected"}]}],"analysis":{},"bom-ref":"CVE-2023-4863/pkg:pypi/pillow@5.4.1","cwes":[787],"description":"libwebp: OOB write in BuildHuffmanTable","detail":"# libwebp: OOB write in BuildHuffmanTable Heap buffer overflow in libwebp allow a remote attacker to perform an out of bounds memory write via a crafted HTML page. ## Related CVE(s) A-299477569, ASB-A-299477569, CVE-2023-4863, CVE-2023-5129, RUSTSEC-2023-0060, RUSTSEC-2023-0061","id":"CVE-2023-4863","properties":[{"name":"depscan:prioritized","value":"false"}],"published":"2023-09-12T15:30:20","ratings":[{"method":"CVSSv31","score":8.8,"severity":"high","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}],"recommendation":"No recommendation found for CVE-2023-4863. Updating to version 10.3.0 is recommended nonetheless in order to address additional vulnerabilities identified for this package.","references":[{"id":"openwall-oss-security-msg-2023-09-26-1","source":{"name":"Openwall Mailing List","url":"http://www.openwall.com/lists/oss-security/2023/09/26/1"}},{"id":"dsa-5496","source":{"name":"Debian Advisory","url":"https://www.debian.org/security/2023/dsa-5496"}},{"id":"glsa-202309-05","source":{"name":"Gentoo Advisory","url":"https://security.gentoo.org/glsa/202309-05"}},{"id":"openwall-oss-security-msg-2023-09-22-1","source":{"name":"Openwall Mailing List","url":"http://www.openwall.com/lists/oss-security/2023/09/22/1"}},{"id":"fedoraproject-msg-WTRUIS3564P7ZLM2S2IH4Y4KZ327LI4I","source":{"name":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WTRUIS3564P7ZLM2S2IH4Y4KZ327LI4I"}},{"id":"openwall-oss-security-msg-2023-09-22-4","source":{"name":"Openwall Mailing List","url":"http://www.openwall.com/lists/oss-security/2023/09/22/4"}},{"id":"debian-msg-msg00016","source":{"name":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2023/09/msg00016.html"}},{"id":"ntap-20230929-0011","source":{"name":"NetApp Advisory","url":"https://security.netapp.com/advisory/ntap-20230929-0011"}},{"id":"openwall-oss-security-msg-2023-09-28-1","source":{"name":"Openwall Mailing List","url":"http://www.openwall.com/lists/oss-security/2023/09/28/1"}},{"id":"openwall-oss-security-msg-2023-09-28-4","source":{"name":"Openwall Mailing List","url":"http://www.openwall.com/lists/oss-security/2023/09/28/4"}},{"id":"CVE-2023-4863","source":{"name":"NVD","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-4863"}},{"id":"openwall-oss-security-msg-2023-09-22-6","source":{"name":"Openwall Mailing List","url":"http://www.openwall.com/lists/oss-security/2023/09/22/6"}},{"id":"openwall-oss-security-msg-2023-09-28-2","source":{"name":"Openwall Mailing List","url":"http://www.openwall.com/lists/oss-security/2023/09/28/2"}},{"id":"glsa-202401-10","source":{"name":"Gentoo Advisory","url":"https://security.gentoo.org/glsa/202401-10"}},{"id":"openwall-oss-security-msg-2023-09-22-8","source":{"name":"Openwall Mailing List","url":"http://www.openwall.com/lists/oss-security/2023/09/22/8"}},{"id":"openwall-oss-security-msg-2023-09-22-7","source":{"name":"Openwall Mailing List","url":"http://www.openwall.com/lists/oss-security/2023/09/22/7"}},{"id":"fedoraproject-msg-OZDGWWMJREPAGKWCJKSCM4WYLANSKIFX","source":{"name":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OZDGWWMJREPAGKWCJKSCM4WYLANSKIFX"}},{"id":"cve-2023-4863","source":{"url":"https://stackdiary.com/critical-vulnerability-in-webp-codec-cve-2023-4863"}},{"id":"debian-msg-msg00017","source":{"name":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2023/09/msg00017.html"}},{"id":"openwall-oss-security-msg-2023-09-22-3","source":{"name":"Openwall Mailing List","url":"http://www.openwall.com/lists/oss-security/2023/09/22/3"}},{"id":"debian-msg-msg00015","source":{"name":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2023/09/msg00015.html"}},{"id":"fedoraproject-msg-FYYKLG6CRGEDTNRBSU26EEWAO6D6U645","source":{"name":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FYYKLG6CRGEDTNRBSU26EEWAO6D6U645"}},{"id":"RUSTSEC-2023-0061","source":{"name":"Rustsec Advisory","url":"https://rustsec.org/advisories/RUSTSEC-2023-0061.html"}},{"id":"openwall-oss-security-msg-2023-09-26-7","source":{"name":"Openwall Mailing List","url":"http://www.openwall.com/lists/oss-security/2023/09/26/7"}},{"id":"stable-channel-update-for-desktop_11","source":{"name":"Googleblog Advisory","url":"https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_11.html"}},{"id":"dsa-5498","source":{"name":"Debian Advisory","url":"https://www.debian.org/security/2023/dsa-5498"}},{"id":"fedoraproject-msg-KUQ7CTX3W372X3UY56VVNAHCH6H2F4X3","source":{"name":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KUQ7CTX3W372X3UY56VVNAHCH6H2F4X3"}},{"id":"CVE-2023-4863","source":{"name":"Debian Advisory","url":"https://security-tracker.debian.org/tracker/CVE-2023-4863"}},{"id":"RUSTSEC-2023-0060","source":{"name":"Rustsec Advisory","url":"https://rustsec.org/advisories/RUSTSEC-2023-0060.html"}},{"id":"google-fixes-another-chrome-zero-day-bug-exploited-in-attacks","source":{"name":"Bleepingcomputer Advisory","url":"https://www.bleepingcomputer.com/news/google/google-fixes-another-chrome-zero-day-bug-exploited-in-attacks"}},{"id":"openwall-oss-security-msg-2023-09-22-5","source":{"name":"Openwall Mailing List","url":"http://www.openwall.com/lists/oss-security/2023/09/22/5"}},{"id":"dsa-5497","source":{"name":"Debian Advisory","url":"https://www.debian.org/security/2023/dsa-5497"}},{"id":"CVE-2023-4863","source":{"name":"Microsoft Advisory","url":"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-4863"}},{"id":"fedoraproject-msg-6T655QF7CQ3DYAMPFV7IECQYGDEUIVVT","source":{"name":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6T655QF7CQ3DYAMPFV7IECQYGDEUIVVT"}},{"id":"mfsa2023-40","source":{"name":"Mozilla Advisory","url":"https://www.mozilla.org/en-US/security/advisories/mfsa2023-40"}},{"id":"openwall-oss-security-msg-2023-09-21-4","source":{"name":"Openwall Mailing List","url":"http://www.openwall.com/lists/oss-security/2023/09/21/4"}},{"id":"fedoraproject-msg-PYZV7TMKF4QHZ54SFJX54BDN52VHGGCX","source":{"name":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PYZV7TMKF4QHZ54SFJX54BDN52VHGGCX"}},{"id":"fedoraproject-msg-WHOLML7N2G5KCAZXFWC5IDFFHSQS5SDB","source":{"name":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WHOLML7N2G5KCAZXFWC5IDFFHSQS5SDB"}},{"id":"be-2023-0001","source":{"name":"Bentley Advisory","url":"https://www.bentley.com/advisories/be-2023-0001"}},{"id":"suse-bugzilla-1215231","source":{"name":"Suse Bugzilla","url":"https://bugzilla.suse.com/show_bug.cgi?id=1215231"}}],"source":{"name":"NVD","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-4863"},"updated":"2024-08-07T19:29:17"},{"advisories":[{"title":"CVE-2023-50447","url":"https://duartecsantos.github.io/2024-01-02-CVE-2023-50447"},{"title":"Checkmarx Advisory CVE-2023-50447","url":"https://devhub.checkmarx.com/cve-details/CVE-2023-50447"},{"title":"CVE-2023-50447","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-50447"},{"title":"CVE-2023-50447","url":"https://duartecsantos.github.io/2023-01-02-CVE-2023-50447"}],"affects":[{"ref":"pkg:pypi/pillow@5.4.1","versions":[{"range":"vers:pypi/>=1.0|<=9.5.0","status":"affected"}]}],"analysis":{},"bom-ref":"CVE-2023-50447/pkg:pypi/pillow@5.4.1","cwes":[94,95],"description":"Arbitrary Code Execution in Pillow","detail":"# Arbitrary Code Execution in Pillow Pillow through 10.1.0 allows PIL.ImageMath.eval Arbitrary Code Execution via the environment parameter, a different vulnerability than CVE-2022-22817 (which was about the expression parameter). ## Related CVE(s) BIT-pillow-2023-50447, CVE-2023-50447","id":"CVE-2023-50447","properties":[{"name":"depscan:prioritized","value":"false"}],"published":"2024-01-19T21:30:35","ratings":[{"method":"CVSSv31","score":8.1,"severity":"high","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"recommendation":"No recommendation found for CVE-2023-50447. Updating to version 10.3.0 is recommended nonetheless in order to address additional vulnerabilities identified for this package.","references":[{"id":"CVE-2023-50447","source":{"url":"https://duartecsantos.github.io/2024-01-02-CVE-2023-50447"}},{"id":"CVE-2023-50447","source":{"name":"Checkmarx Advisory","url":"https://devhub.checkmarx.com/cve-details/CVE-2023-50447"}},{"id":"CVE-2023-50447","source":{"name":"NVD","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-50447"}},{"id":"openwall-oss-security-msg-2024-01-20-1","source":{"name":"Openwall Mailing List","url":"http://www.openwall.com/lists/oss-security/2024/01/20/1"}},{"id":"CVE-2023-50447","source":{"url":"https://duartecsantos.github.io/2023-01-02-CVE-2023-50447"}},{"id":"debian-msg-msg00019","source":{"name":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2024/01/msg00019.html"}}],"source":{"url":"https://duartecsantos.github.io/2024-01-02-CVE-2023-50447"},"updated":"2024-08-02T11:04:50"},{"advisories":[{"title":"CVE-2021-27922","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-27922"},{"title":"GitHub Advisory PYSEC-2021-41","url":"https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2021-41.yaml"},{"title":"GitHub Advisory GHSA-3wvg-mj6g-m9cv","url":"https://github.com/advisories/GHSA-3wvg-mj6g-m9cv"},{"title":"Gentoo Advisory glsa-202107-33","url":"https://security.gentoo.org/glsa/202107-33"}],"affects":[{"ref":"pkg:pypi/pillow@5.4.1","versions":[{"range":"vers:pypi/>=1.0|<=8.1.0","status":"affected"},{"status":"unaffected","version":"8.1.1"}]}],"analysis":{},"bom-ref":"CVE-2021-27922/pkg:pypi/pillow@5.4.1","cwes":[400],"description":"Pillow Uncontrolled Resource Consumption","detail":"# Pillow Uncontrolled Resource Consumption Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICNS container, and thus an attempted memory allocation can be very large. ## Related CVE(s) BIT-pillow-2021-27922, CVE-2021-27922, PYSEC-2021-41","id":"CVE-2021-27922","properties":[{"name":"depscan:prioritized","value":"false"}],"published":"2021-03-18T19:55:21","ratings":[{"method":"CVSSv31","score":7.5,"severity":"high","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"recommendation":"Update to version 8.1.1 to resolve CVE-2021-27922 or update to version 10.3.0 to resolve additional vulnerabilities for this package.","references":[{"id":"fedoraproject-msg-TQQY6472RX4J2SUJENWDZAWKTJJGP2ML","source":{"name":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TQQY6472RX4J2SUJENWDZAWKTJJGP2ML"}},{"id":"CVE-2021-27922","source":{"name":"NVD","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-27922"}},{"id":"fedoraproject-msg-ZTSY25UJU7NJUFHH3HWT575LT4TDFWBZ","source":{"name":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZTSY25UJU7NJUFHH3HWT575LT4TDFWBZ"}},{"id":"PYSEC-2021-41","source":{"name":"GitHub Advisory","url":"https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2021-41.yaml"}},{"id":"GHSA-3wvg-mj6g-m9cv","source":{"name":"GitHub Advisory","url":"https://github.com/advisories/GHSA-3wvg-mj6g-m9cv"}},{"id":"glsa-202107-33","source":{"name":"Gentoo Advisory","url":"https://security.gentoo.org/glsa/202107-33"}},{"id":"fedoraproject-msg-S7G44Z33J4BNI2DPDROHWGVG2U7ZH5JU","source":{"name":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S7G44Z33J4BNI2DPDROHWGVG2U7ZH5JU"}}],"source":{"name":"NVD","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-27922"},"updated":"2024-10-08T13:23:01"},{"advisories":[{"title":"GitHub Advisory GHSA-3xv8-3j54-hgrp","url":"https://github.com/advisories/GHSA-3xv8-3j54-hgrp"},{"title":"GitHub Advisory PYSEC-2020-77","url":"https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2020-77.yaml"},{"title":"CVE-2020-10378","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-10378"},{"title":"GitHub Advisory PYSEC-2020-77","url":"https://github.com/pypa/advisory-db/blob/7872b0a91b4d980f749e6d75a81f8cc1af32829f/vulns/pillow/PYSEC-2020-77.yaml"}],"affects":[{"ref":"pkg:pypi/pillow@5.4.1","versions":[{"range":"vers:pypi/>=1.0|<=7.0.0","status":"affected"},{"status":"unaffected","version":"7.1.0"}]}],"analysis":{},"bom-ref":"CVE-2020-10378/pkg:pypi/pillow@5.4.1","cwes":[125],"description":"Out-of-bounds read in Pillow","detail":"# Out-of-bounds read in Pillow In `libImaging/PcxDecode.c` in Pillow before 7.1.0, an out-of-bounds read can occur when reading PCX files where `state->shuffle` is instructed to read beyond `state->buffer`. ## Related CVE(s) BIT-pillow-2020-10378, CVE-2020-10378","id":"CVE-2020-10378","properties":[{"name":"depscan:prioritized","value":"false"}],"published":"2021-11-03T18:04:53","ratings":[{"method":"CVSSv31","score":5.5,"severity":"medium","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"}],"recommendation":"Update to version 7.1.0 to resolve CVE-2020-10378 or update to version 10.3.0 to resolve additional vulnerabilities for this package.","references":[{"id":"GHSA-3xv8-3j54-hgrp","source":{"name":"GitHub Advisory","url":"https://github.com/advisories/GHSA-3xv8-3j54-hgrp"}},{"id":"fedoraproject-msg-HOKHNWV2VS5GESY7IBD237E7C6T3I427","source":{"name":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HOKHNWV2VS5GESY7IBD237E7C6T3I427"}},{"id":"PYSEC-2020-77","source":{"name":"GitHub Advisory","url":"https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2020-77.yaml"}},{"id":"CVE-2020-10378","source":{"name":"NVD","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-10378"}},{"id":"PYSEC-2020-77","source":{"name":"GitHub Advisory","url":"https://github.com/pypa/advisory-db/blob/7872b0a91b4d980f749e6d75a81f8cc1af32829f/vulns/pillow/PYSEC-2020-77.yaml"}},{"id":"fedoraproject-msg-BEBCPE4F2VHTIT6EZA2YZQZLPVDEBJGD","source":{"name":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BEBCPE4F2VHTIT6EZA2YZQZLPVDEBJGD"}}],"source":{"name":"NVD","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-10378"},"updated":"2024-10-09T21:09:14"},{"advisories":[{"title":"CVE-2020-11538","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-11538"},{"title":"Snyk Advisory SNYK-PYTHON-PILLOW-574574","url":"https://snyk.io/vuln/SNYK-PYTHON-PILLOW-574574"},{"title":"GitHub Advisory GHSA-43fq-w8qq-v88h","url":"https://github.com/advisories/GHSA-43fq-w8qq-v88h"},{"title":"GitHub Advisory PYSEC-2020-80","url":"https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2020-80.yaml"}],"affects":[{"ref":"pkg:pypi/pillow@5.4.1","versions":[{"range":"vers:pypi/>=1.0|<=7.0.0","status":"affected"}]}],"analysis":{},"bom-ref":"CVE-2020-11538/pkg:pypi/pillow@5.4.1","cwes":[125],"description":"Out-of-bounds read in Pillow","detail":"# Out-of-bounds read in Pillow In libImaging/SgiRleDecode.c in Pillow through 7.0.0, a number of out-of-bounds reads exist in the parsing of SGI image files, a different issue than CVE-2020-5311. ## Related CVE(s) BIT-pillow-2020-11538, CVE-2020-11538, PYSEC-2020-80","id":"CVE-2020-11538","properties":[{"name":"depscan:prioritized","value":"false"}],"published":"2020-07-27T21:52:36","ratings":[{"method":"CVSSv31","score":8.1,"severity":"high","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"recommendation":"No recommendation found for CVE-2020-11538. Updating to version 10.3.0 is recommended nonetheless in order to address additional vulnerabilities identified for this package.","references":[{"id":"CVE-2020-11538","source":{"name":"NVD","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-11538"}},{"id":"fedoraproject-msg-HOKHNWV2VS5GESY7IBD237E7C6T3I427","source":{"name":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HOKHNWV2VS5GESY7IBD237E7C6T3I427"}},{"id":"SNYK-PYTHON-PILLOW-574574","source":{"name":"Snyk Advisory","url":"https://snyk.io/vuln/SNYK-PYTHON-PILLOW-574574"}},{"id":"GHSA-43fq-w8qq-v88h","source":{"name":"GitHub Advisory","url":"https://github.com/advisories/GHSA-43fq-w8qq-v88h"}},{"id":"fedoraproject-msg-BEBCPE4F2VHTIT6EZA2YZQZLPVDEBJGD","source":{"name":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BEBCPE4F2VHTIT6EZA2YZQZLPVDEBJGD"}},{"id":"PYSEC-2020-80","source":{"name":"GitHub Advisory","url":"https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2020-80.yaml"}}],"source":{"name":"NVD","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-11538"},"updated":"2024-10-09T20:02:20"},{"advisories":[{"title":"CVE-2024-28219","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-28219"}],"affects":[{"ref":"pkg:pypi/pillow@5.4.1","versions":[{"range":"vers:pypi/>=1.0|<=9.5.0","status":"affected"},{"status":"unaffected","version":"10.3.0"}]}],"analysis":{},"bom-ref":"CVE-2024-28219/pkg:pypi/pillow@5.4.1","cwes":[120,676,680],"description":"Pillow buffer overflow vulnerability","detail":"# Pillow buffer overflow vulnerability In _imagingcms.c in Pillow before 10.3.0, a buffer overflow exists because strcpy is used instead of strncpy. ## Related CVE(s) BIT-pillow-2024-28219, CVE-2024-28219","id":"CVE-2024-28219","properties":[{"name":"depscan:prioritized","value":"false"}],"published":"2024-04-03T03:30:30","ratings":[{"method":"CVSSv31","score":6.7,"severity":"medium","vector":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H"}],"recommendation":"Update to version 10.3.0.","references":[{"id":"debian-msg-msg00008","source":{"name":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2024/04/msg00008.html"}},{"id":"CVE-2024-28219","source":{"name":"NVD","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-28219"}},{"id":"fedoraproject-msg-4XLPUT3VK4GQ6EVY525TT2QNUIXNRU5M","source":{"name":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4XLPUT3VK4GQ6EVY525TT2QNUIXNRU5M"}}],"source":{"name":"NVD","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-28219"},"updated":"2024-08-21T14:57:02"},{"advisories":[{"title":"GitHub Advisory GHSA-4fx9-vc88-q2xc","url":"https://github.com/advisories/GHSA-4fx9-vc88-q2xc"}],"affects":[{"ref":"pkg:pypi/pillow@5.4.1","versions":[{"range":"vers:pypi/>=1.0|<=8.4.0","status":"affected"}]}],"analysis":{},"bom-ref":"GHSA-4fx9-vc88-q2xc/pkg:pypi/pillow@5.4.1","cwes":[400],"description":"Infinite loop in Pillow","detail":"# Infinite loop in Pillow JpegImagePlugin may append an EOF marker to the end of a truncated file, so that the last segment of the data will still be processed by the decoder. If the EOF marker is not detected as such however, this could lead to an infinite loop where JpegImagePlugin keeps trying to end the file.","id":"GHSA-4fx9-vc88-q2xc","properties":[{"name":"depscan:prioritized","value":"false"}],"published":"2022-03-11T23:39:27","ratings":[{"method":"CVSSv31","score":2.0,"severity":"low","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N"}],"recommendation":"No recommendation found for GHSA-4fx9-vc88-q2xc. Updating to version 10.3.0 is recommended nonetheless in order to address additional vulnerabilities identified for this package.","references":[],"source":{"name":"GitHub","url":"https://github.com/advisories/GHSA-4fx9-vc88-q2xc"},"updated":"2023-04-11T01:20:06"},{"advisories":[{"title":"CVE-2023-4863","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-4863"},{"title":"GitHub Advisory PYSEC-2023-175","url":"https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2023-175.yaml"},{"title":"CVE-2023-5129","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-5129"},{"title":"GitHub Advisory GHSA-56pw-mpj4-fxww","url":"https://github.com/advisories/GHSA-56pw-mpj4-fxww"}],"affects":[{"ref":"pkg:pypi/pillow@5.4.1","versions":[{"range":"vers:pypi/>=1.0|<=9.5.0","status":"affected"}]}],"analysis":{},"bom-ref":"GHSA-56pw-mpj4-fxww/pkg:pypi/pillow@5.4.1","cwes":[],"description":"Bundled libwebp in Pillow vulnerable","detail":"# Bundled libwebp in Pillow vulnerable Pillow versions before v10.0.1 bundled libwebp binaries in wheels that are vulnerable to CVE-2023-5129 (previously CVE-2023-4863). Pillow v10.0.1 upgrades the bundled libwebp binary to v1.3.2.","id":"GHSA-56pw-mpj4-fxww","properties":[{"name":"depscan:prioritized","value":"false"}],"published":"2023-10-05T00:06:58","ratings":[{"method":"CVSSv31","score":7.5,"severity":"high","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"}],"recommendation":"No recommendation found for GHSA-56pw-mpj4-fxww. Updating to version 10.3.0 is recommended nonetheless in order to address additional vulnerabilities identified for this package.","references":[{"id":"CVE-2023-4863","source":{"name":"NVD","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-4863"}},{"id":"PYSEC-2023-175","source":{"name":"GitHub Advisory","url":"https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2023-175.yaml"}},{"id":"CVE-2023-5129","source":{"name":"NVD","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-5129"}}],"source":{"name":"GitHub","url":"https://github.com/advisories/GHSA-56pw-mpj4-fxww"},"updated":"2024-02-16T08:18:51"},{"advisories":[{"title":"CVE-2021-25289","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-25289"},{"title":"Gentoo Advisory glsa-202107-33","url":"https://security.gentoo.org/glsa/202107-33"},{"title":"GitHub Advisory GHSA-57h3-9rgr-c24m","url":"https://github.com/advisories/GHSA-57h3-9rgr-c24m"},{"title":"GitHub Advisory PYSEC-2021-35","url":"https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2021-35.yaml"}],"affects":[{"ref":"pkg:pypi/pillow@5.4.1","versions":[{"range":"vers:pypi/>=1.0|<=8.1.0","status":"affected"},{"status":"unaffected","version":"8.1.1"}]}],"analysis":{},"bom-ref":"CVE-2021-25289/pkg:pypi/pillow@5.4.1","cwes":[787],"description":"Out of bounds write in Pillow","detail":"# Out of bounds write in Pillow An issue was discovered in Pillow before 8.1.1. TiffDecode has a heap-based buffer overflow when decoding crafted YCbCr files because of certain interpretation conflicts with LibTIFF in RGBA mode. NOTE: this issue exists because of an incomplete fix for CVE-2020-35654. ## Related CVE(s) BIT-pillow-2021-25289, CVE-2021-25289, PYSEC-2021-35","id":"CVE-2021-25289","properties":[{"name":"depscan:prioritized","value":"false"}],"published":"2021-03-29T16:35:16","ratings":[{"method":"CVSSv31","score":9.8,"severity":"critical","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"recommendation":"Update to version 8.1.1 to resolve CVE-2021-25289 or update to version 10.3.0 to resolve additional vulnerabilities for this package.","references":[{"id":"CVE-2021-25289","source":{"name":"NVD","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-25289"}},{"id":"glsa-202107-33","source":{"name":"Gentoo Advisory","url":"https://security.gentoo.org/glsa/202107-33"}},{"id":"GHSA-57h3-9rgr-c24m","source":{"name":"GitHub Advisory","url":"https://github.com/advisories/GHSA-57h3-9rgr-c24m"}},{"id":"PYSEC-2021-35","source":{"name":"GitHub Advisory","url":"https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2021-35.yaml"}}],"source":{"name":"NVD","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-25289"},"updated":"2024-10-08T13:22:45"},{"advisories":[{"title":"Debian Advisory dsa-4631","url":"https://www.debian.org/security/2020/dsa-4631"},{"title":"GitHub Advisory GHSA-5gm3-px64-rw72","url":"https://github.com/advisories/GHSA-5gm3-px64-rw72"},{"title":"GitHub Advisory PYSEC-2020-172","url":"https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2020-172.yaml"},{"title":"CVE-2019-19911","url":"https://nvd.nist.gov/vuln/detail/CVE-2019-19911"}],"affects":[{"ref":"pkg:pypi/pillow@5.4.1","versions":[{"range":"vers:pypi/>=1.0|<=6.2.1","status":"affected"},{"status":"unaffected","version":"6.2.2"}]}],"analysis":{},"bom-ref":"CVE-2019-19911/pkg:pypi/pillow@5.4.1","cwes":[190],"description":"Uncontrolled Resource Consumption in Pillow","detail":"# Uncontrolled Resource Consumption in Pillow There is a DoS vulnerability in Pillow before 6.2.2 caused by FpxImagePlugin.py calling the range function on an unvalidated 32-bit integer if the number of bands is large. On Windows running 32-bit Python, this results in an OverflowError or MemoryError due to the 2 GB limit. However, on Linux running 64-bit Python this results in the process being terminated by the OOM killer. ## Related CVE(s) CVE-2019-19911, PYSEC-2020-172","id":"CVE-2019-19911","properties":[{"name":"depscan:prioritized","value":"false"}],"published":"2020-04-01T16:36:44","ratings":[{"method":"CVSSv31","score":7.5,"severity":"high","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"recommendation":"Update to version 6.2.2 to resolve CVE-2019-19911 or update to version 10.3.0 to resolve additional vulnerabilities for this package.","references":[{"id":"dsa-4631","source":{"name":"Debian Advisory","url":"https://www.debian.org/security/2020/dsa-4631"}},{"id":"fedoraproject-msg-3DUMIBUYGJRAVJCTFUWBRLVQKOUTVX5P","source":{"name":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3DUMIBUYGJRAVJCTFUWBRLVQKOUTVX5P"}},{"id":"GHSA-5gm3-px64-rw72","source":{"name":"GitHub Advisory","url":"https://github.com/advisories/GHSA-5gm3-px64-rw72"}},{"id":"PYSEC-2020-172","source":{"name":"GitHub Advisory","url":"https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2020-172.yaml"}},{"id":"CVE-2019-19911","source":{"name":"NVD","url":"https://nvd.nist.gov/vuln/detail/CVE-2019-19911"}}],"source":{"name":"NVD","url":"https://nvd.nist.gov/vuln/detail/CVE-2019-19911"},"updated":"2024-10-08T13:22:59"},{"advisories":[{"title":"GitHub Advisory PYSEC-2021-331","url":"https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2021-331.yaml"},{"title":"Gentoo Advisory glsa-202211-10","url":"https://security.gentoo.org/glsa/202211-10"},{"title":"GitHub Advisory GHSA-7534-mm45-c74v","url":"https://github.com/advisories/GHSA-7534-mm45-c74v"},{"title":"CVE-2021-34552","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-34552"}],"affects":[{"ref":"pkg:pypi/pillow@5.4.1","versions":[{"range":"vers:pypi/>=1.0|<=8.2.0","status":"affected"}]}],"analysis":{},"bom-ref":"CVE-2021-34552/pkg:pypi/pillow@5.4.1","cwes":[120],"description":"Buffer Overflow in Pillow","detail":"# Buffer Overflow in Pillow Pillow through 8.2.0 and PIL (aka Python Imaging Library) through 1.1.7 allow an attacker to pass controlled parameters directly into a convert function to trigger a buffer overflow in Convert.c. ## Related CVE(s) BIT-pillow-2021-34552, CVE-2021-34552, PYSEC-2021-331","id":"CVE-2021-34552","properties":[{"name":"depscan:prioritized","value":"false"}],"published":"2021-10-05T20:24:41","ratings":[{"method":"CVSSv31","score":9.8,"severity":"critical","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"recommendation":"No recommendation found for CVE-2021-34552. Updating to version 10.3.0 is recommended nonetheless in order to address additional vulnerabilities identified for this package.","references":[{"id":"PYSEC-2021-331","source":{"name":"GitHub Advisory","url":"https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2021-331.yaml"}},{"id":"glsa-202211-10","source":{"name":"Gentoo Advisory","url":"https://security.gentoo.org/glsa/202211-10"}},{"id":"debian-msg-msg00018","source":{"name":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2021/07/msg00018.html"}},{"id":"GHSA-7534-mm45-c74v","source":{"name":"GitHub Advisory","url":"https://github.com/advisories/GHSA-7534-mm45-c74v"}},{"id":"fedoraproject-msg-VUGBBT63VL7G4JNOEIPDJIOC34ZFBKNJ","source":{"name":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VUGBBT63VL7G4JNOEIPDJIOC34ZFBKNJ"}},{"id":"fedoraproject-msg-7V6LCG525ARIX6LX5QRYNAWVDD2MD2SV","source":{"name":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7V6LCG525ARIX6LX5QRYNAWVDD2MD2SV"}},{"id":"CVE-2021-34552","source":{"name":"NVD","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-34552"}}],"source":{"name":"NVD","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-34552"},"updated":"2024-10-09T21:10:34"},{"advisories":[{"title":"GitHub Advisory GHSA-77gc-v2xv-rvvh","url":"https://github.com/advisories/GHSA-77gc-v2xv-rvvh"},{"title":"CVE-2021-25287","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-25287"},{"title":"GitHub Advisory PYSEC-2021-137","url":"https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2021-137.yaml"},{"title":"Gentoo Advisory glsa-202107-33","url":"https://security.gentoo.org/glsa/202107-33"}],"affects":[{"ref":"pkg:pypi/pillow@5.4.1","versions":[{"range":"vers:pypi/>=2.4.0|<8.2.0","status":"affected"},{"status":"unaffected","version":"8.2.0"}]}],"analysis":{},"bom-ref":"CVE-2021-25287/pkg:pypi/pillow@5.4.1","cwes":[125],"description":"Out-of-bounds Read in Pillow","detail":"# Out-of-bounds Read in Pillow An issue was discovered in Pillow before 8.2.0. There is an out-of-bounds read in J2kDecode, in j2ku_graya_la. ## Related CVE(s) BIT-pillow-2021-25287, CVE-2021-25287, PYSEC-2021-137","id":"CVE-2021-25287","properties":[{"name":"depscan:prioritized","value":"false"}],"published":"2021-06-08T18:49:02","ratings":[{"method":"CVSSv31","score":9.1,"severity":"critical","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H"}],"recommendation":"Update to version 8.2.0 to resolve CVE-2021-25287 or update to version 10.3.0 to resolve additional vulnerabilities for this package.","references":[{"id":"GHSA-77gc-v2xv-rvvh","source":{"name":"GitHub Advisory","url":"https://github.com/advisories/GHSA-77gc-v2xv-rvvh"}},{"id":"CVE-2021-25287","source":{"name":"NVD","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-25287"}},{"id":"PYSEC-2021-137","source":{"name":"GitHub Advisory","url":"https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2021-137.yaml"}},{"id":"glsa-202107-33","source":{"name":"Gentoo Advisory","url":"https://security.gentoo.org/glsa/202107-33"}},{"id":"fedoraproject-msg-MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL","source":{"name":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL"}}],"source":{"name":"NVD","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-25287"},"updated":"2024-10-09T21:25:17"},{"advisories":[{"title":"GitHub Advisory PYSEC-2021-92","url":"https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2021-92.yaml"},{"title":"GitHub Advisory GHSA-7r7m-5h27-29hp","url":"https://github.com/advisories/GHSA-7r7m-5h27-29hp"},{"title":"CVE-2021-28676","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-28676"},{"title":"Gentoo Advisory glsa-202107-33","url":"https://security.gentoo.org/glsa/202107-33"}],"affects":[{"ref":"pkg:pypi/pillow@5.4.1","versions":[{"range":"vers:pypi/>=1.0|<=8.1.2","status":"affected"},{"status":"unaffected","version":"8.2.0"}]}],"analysis":{},"bom-ref":"CVE-2021-28676/pkg:pypi/pillow@5.4.1","cwes":[835],"description":"Potential infinite loop in Pillow","detail":"# Potential infinite loop in Pillow An issue was discovered in Pillow before 8.2.0. For FLI data, FliDecode did not properly check that the block advance was non-zero, potentially leading to an infinite loop on load. ## Related CVE(s) BIT-pillow-2021-28676, CVE-2021-28676, PYSEC-2021-92","id":"CVE-2021-28676","properties":[{"name":"depscan:prioritized","value":"false"}],"published":"2021-06-08T18:48:53","ratings":[{"method":"CVSSv31","score":7.5,"severity":"high","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"recommendation":"Update to version 8.2.0 to resolve CVE-2021-28676 or update to version 10.3.0 to resolve additional vulnerabilities for this package.","references":[{"id":"PYSEC-2021-92","source":{"name":"GitHub Advisory","url":"https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2021-92.yaml"}},{"id":"debian-msg-msg00018","source":{"name":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2021/07/msg00018.html"}},{"id":"GHSA-7r7m-5h27-29hp","source":{"name":"GitHub Advisory","url":"https://github.com/advisories/GHSA-7r7m-5h27-29hp"}},{"id":"fedoraproject-msg-MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL","source":{"name":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL"}},{"id":"CVE-2021-28676","source":{"name":"NVD","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-28676"}},{"id":"glsa-202107-33","source":{"name":"Gentoo Advisory","url":"https://security.gentoo.org/glsa/202107-33"}},{"id":"fedoraproject-msg-MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL","source":{"name":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL"}}],"source":{"name":"NVD","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-28676"},"updated":"2024-10-14T18:25:51"},{"advisories":[{"title":"CVE-2020-10379","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-10379"},{"title":"GitHub Advisory PYSEC-2020-78","url":"https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2020-78.yaml"},{"title":"GitHub Advisory GHSA-8843-m7mw-mxqm","url":"https://github.com/advisories/GHSA-8843-m7mw-mxqm"},{"title":"Snyk Advisory SNYK-PYTHON-PILLOW-574577","url":"https://snyk.io/vuln/SNYK-PYTHON-PILLOW-574577"}],"affects":[{"ref":"pkg:pypi/pillow@5.4.1","versions":[{"range":"vers:pypi/>=1.0|<=7.0.0","status":"affected"},{"status":"unaffected","version":"7.1.0"}]}],"analysis":{},"bom-ref":"CVE-2020-10379/pkg:pypi/pillow@5.4.1","cwes":[120],"description":"Buffer overflow in Pillow","detail":"# Buffer overflow in Pillow In Pillow before 7.1.0, there are two Buffer Overflows in `libImaging/TiffDecode.c`. ## Related CVE(s) BIT-pillow-2020-10379, CVE-2020-10379","id":"CVE-2020-10379","properties":[{"name":"depscan:prioritized","value":"false"}],"published":"2020-07-27T21:52:41","ratings":[{"method":"CVSSv31","score":7.8,"severity":"high","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}],"recommendation":"Update to version 7.1.0 to resolve CVE-2020-10379 or update to version 10.3.0 to resolve additional vulnerabilities for this package.","references":[{"id":"fedoraproject-msg-HOKHNWV2VS5GESY7IBD237E7C6T3I427","source":{"name":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HOKHNWV2VS5GESY7IBD237E7C6T3I427"}},{"id":"CVE-2020-10379","source":{"name":"NVD","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-10379"}},{"id":"PYSEC-2020-78","source":{"name":"GitHub Advisory","url":"https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2020-78.yaml"}},{"id":"GHSA-8843-m7mw-mxqm","source":{"name":"GitHub Advisory","url":"https://github.com/advisories/GHSA-8843-m7mw-mxqm"}},{"id":"fedoraproject-msg-BEBCPE4F2VHTIT6EZA2YZQZLPVDEBJGD","source":{"name":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BEBCPE4F2VHTIT6EZA2YZQZLPVDEBJGD"}},{"id":"SNYK-PYTHON-PILLOW-574577","source":{"name":"Snyk Advisory","url":"https://snyk.io/vuln/SNYK-PYTHON-PILLOW-574577"}}],"source":{"name":"NVD","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-10379"},"updated":"2024-10-09T19:45:53"},{"advisories":[{"title":"GitHub Advisory PYSEC-2023-227","url":"https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2023-227.yaml"},{"title":"CVE-2023-44271","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-44271"},{"title":"Checkmarx Advisory CVE-2023-44271","url":"https://devhub.checkmarx.com/cve-details/CVE-2023-44271"}],"affects":[{"ref":"pkg:pypi/pillow@5.4.1","versions":[{"range":"vers:pypi/>=1.0|<=9.5.0","status":"affected"},{"status":"unaffected","version":"10.0.0"}]}],"analysis":{},"bom-ref":"CVE-2023-44271/pkg:pypi/pillow@5.4.1","cwes":[400,770],"description":"Pillow Denial of Service vulnerability","detail":"# Pillow Denial of Service vulnerability An issue was discovered in Pillow before 10.0.0. It is a Denial of Service that uncontrollably allocates memory to process a given task, potentially causing a service to crash by having it run out of memory. This occurs for truetype in ImageFont when textlength in an ImageDraw instance operates on a long text argument. ## Related CVE(s) BIT-pillow-2023-44271, CVE-2023-44271, PYSEC-2023-227","id":"CVE-2023-44271","properties":[{"name":"depscan:prioritized","value":"false"}],"published":"2023-11-03T06:36:30","ratings":[{"method":"CVSSv31","score":7.5,"severity":"high","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"recommendation":"Update to version 10.0.0 to resolve CVE-2023-44271 or update to version 10.3.0 to resolve additional vulnerabilities for this package.","references":[{"id":"PYSEC-2023-227","source":{"name":"GitHub Advisory","url":"https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2023-227.yaml"}},{"id":"CVE-2023-44271","source":{"name":"NVD","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-44271"}},{"id":"CVE-2023-44271","source":{"name":"Checkmarx Advisory","url":"https://devhub.checkmarx.com/cve-details/CVE-2023-44271"}},{"id":"fedoraproject-msg-N2JOEDUJDQLCUII2LQYZYSM7RJL2I3P4","source":{"name":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N2JOEDUJDQLCUII2LQYZYSM7RJL2I3P4"}},{"id":"debian-msg-msg00021","source":{"name":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2024/03/msg00021.html"}}],"source":{"name":"NVD","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-44271"},"updated":"2024-10-14T21:23:45"},{"advisories":[{"title":"GitHub Advisory GHSA-8vj2-vxx3-667w","url":"https://github.com/advisories/GHSA-8vj2-vxx3-667w"},{"title":"Debian Advisory dsa-5053","url":"https://www.debian.org/security/2022/dsa-5053"},{"title":"Gentoo Advisory glsa-202211-10","url":"https://security.gentoo.org/glsa/202211-10"},{"title":"GitHub Advisory PYSEC-2022-10","url":"https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2022-10.yaml"},{"title":"CVE-2022-22817","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-22817"}],"affects":[{"ref":"pkg:pypi/pillow@5.4.1","versions":[{"range":"vers:pypi/>=1.0|<=9.0.0","status":"affected"},{"status":"unaffected","version":"9.0.0"}]}],"analysis":{},"bom-ref":"CVE-2022-22817/pkg:pypi/pillow@5.4.1","cwes":[74],"description":"Arbitrary expression injection in Pillow","detail":"# Arbitrary expression injection in Pillow `PIL.ImageMath.eval` in Pillow before 9.0.0 allows evaluation of arbitrary expressions, such as ones that use the Python exec method `ImageMath.eval(\"exec(exit())\")`. While Pillow 9.0.0 restricted top-level builtins available to PIL.ImageMath.eval(), it did not prevent builtins available to lambda expressions. These are now also restricted in 9.0.1. ## Related CVE(s) BIT-pillow-2022-22817, CVE-2022-22817, PYSEC-2022-10","id":"CVE-2022-22817","properties":[{"name":"depscan:prioritized","value":"false"}],"published":"2022-01-12T20:07:33","ratings":[{"method":"CVSSv31","score":9.8,"severity":"critical","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"recommendation":"Update to version 9.0.0 to resolve CVE-2022-22817 or update to version 10.3.0 to resolve additional vulnerabilities for this package.","references":[{"id":"GHSA-8vj2-vxx3-667w","source":{"name":"GitHub Advisory","url":"https://github.com/advisories/GHSA-8vj2-vxx3-667w"}},{"id":"dsa-5053","source":{"name":"Debian Advisory","url":"https://www.debian.org/security/2022/dsa-5053"}},{"id":"glsa-202211-10","source":{"name":"Gentoo Advisory","url":"https://security.gentoo.org/glsa/202211-10"}},{"id":"PYSEC-2022-10","source":{"name":"GitHub Advisory","url":"https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2022-10.yaml"}},{"id":"CVE-2022-22817","source":{"name":"NVD","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-22817"}},{"id":"debian-msg-msg00021","source":{"name":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2024/03/msg00021.html"}},{"id":"debian-msg-msg00018","source":{"name":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2022/01/msg00018.html"}}],"source":{"name":"NVD","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-22817"},"updated":"2024-10-14T18:26:08"},{"advisories":[{"title":"GitHub Advisory GHSA-8xjq-8fcg-g5hw","url":"https://github.com/advisories/GHSA-8xjq-8fcg-g5hw"},{"title":"GitHub Advisory PYSEC-2021-36","url":"https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2021-36.yaml"},{"title":"CVE-2021-25290","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-25290"},{"title":"Gentoo Advisory glsa-202107-33","url":"https://security.gentoo.org/glsa/202107-33"}],"affects":[{"ref":"pkg:pypi/pillow@5.4.1","versions":[{"range":"vers:pypi/>=1.0|<=8.1.0","status":"affected"},{"status":"unaffected","version":"8.1.1"}]}],"analysis":{},"bom-ref":"CVE-2021-25290/pkg:pypi/pillow@5.4.1","cwes":[787],"description":"Out-of-bounds Write in Pillow","detail":"# Out-of-bounds Write in Pillow An issue was discovered in Pillow before 8.1.1. In TiffDecode.c, there is a negative-offset memcpy with an invalid size. ## Related CVE(s) BIT-pillow-2021-25290, CVE-2021-25290, PYSEC-2021-36","id":"CVE-2021-25290","properties":[{"name":"depscan:prioritized","value":"false"}],"published":"2021-03-29T16:35:36","ratings":[{"method":"CVSSv31","score":7.5,"severity":"high","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"recommendation":"Update to version 8.1.1 to resolve CVE-2021-25290 or update to version 10.3.0 to resolve additional vulnerabilities for this package.","references":[{"id":"GHSA-8xjq-8fcg-g5hw","source":{"name":"GitHub Advisory","url":"https://github.com/advisories/GHSA-8xjq-8fcg-g5hw"}},{"id":"PYSEC-2021-36","source":{"name":"GitHub Advisory","url":"https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2021-36.yaml"}},{"id":"CVE-2021-25290","source":{"name":"NVD","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-25290"}},{"id":"debian-msg-msg00018","source":{"name":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2021/07/msg00018.html"}},{"id":"glsa-202107-33","source":{"name":"Gentoo Advisory","url":"https://security.gentoo.org/glsa/202107-33"}}],"source":{"name":"NVD","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-25290"},"updated":"2024-10-08T13:23:21"},{"advisories":[{"title":"CVE-2021-27923","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-27923"},{"title":"GitHub Advisory PYSEC-2021-42","url":"https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2021-42.yaml"},{"title":"Gentoo Advisory glsa-202107-33","url":"https://security.gentoo.org/glsa/202107-33"},{"title":"GitHub Advisory GHSA-95q3-8gr9-gm8w","url":"https://github.com/advisories/GHSA-95q3-8gr9-gm8w"}],"affects":[{"ref":"pkg:pypi/pillow@5.4.1","versions":[{"range":"vers:pypi/>=1.0|<=8.1.0","status":"affected"},{"status":"unaffected","version":"8.1.1"}]}],"analysis":{},"bom-ref":"CVE-2021-27923/pkg:pypi/pillow@5.4.1","cwes":[400],"description":"Pillow Denial of Service by Uncontrolled Resource Consumption","detail":"# Pillow Denial of Service by Uncontrolled Resource Consumption Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICO container, and thus an attempted memory allocation can be very large. ## Related CVE(s) BIT-pillow-2021-27923, CVE-2021-27923, PYSEC-2021-42","id":"CVE-2021-27923","properties":[{"name":"depscan:prioritized","value":"false"}],"published":"2021-03-18T19:54:43","ratings":[{"method":"CVSSv31","score":7.5,"severity":"high","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"recommendation":"Update to version 8.1.1 to resolve CVE-2021-27923 or update to version 10.3.0 to resolve additional vulnerabilities for this package.","references":[{"id":"fedoraproject-msg-TQQY6472RX4J2SUJENWDZAWKTJJGP2ML","source":{"name":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TQQY6472RX4J2SUJENWDZAWKTJJGP2ML"}},{"id":"CVE-2021-27923","source":{"name":"NVD","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-27923"}},{"id":"fedoraproject-msg-ZTSY25UJU7NJUFHH3HWT575LT4TDFWBZ","source":{"name":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZTSY25UJU7NJUFHH3HWT575LT4TDFWBZ"}},{"id":"PYSEC-2021-42","source":{"name":"GitHub Advisory","url":"https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2021-42.yaml"}},{"id":"glsa-202107-33","source":{"name":"Gentoo Advisory","url":"https://security.gentoo.org/glsa/202107-33"}},{"id":"fedoraproject-msg-S7G44Z33J4BNI2DPDROHWGVG2U7ZH5JU","source":{"name":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S7G44Z33J4BNI2DPDROHWGVG2U7ZH5JU"}},{"id":"GHSA-95q3-8gr9-gm8w","source":{"name":"GitHub Advisory","url":"https://github.com/advisories/GHSA-95q3-8gr9-gm8w"}}],"source":{"name":"NVD","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-27923"},"updated":"2024-10-08T13:17:51"},{"advisories":[{"title":"Gentoo Advisory glsa-202211-10","url":"https://security.gentoo.org/glsa/202211-10"},{"title":"Snyk Advisory SNYK-PYTHON-PILLOW-1319443","url":"https://snyk.io/vuln/SNYK-PYTHON-PILLOW-1319443"},{"title":"GitHub Advisory GHSA-98vv-pw6r-q6q4","url":"https://github.com/advisories/GHSA-98vv-pw6r-q6q4"},{"title":"CVE-2021-23437","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-23437"},{"title":"GitHub Advisory PYSEC-2021-317","url":"https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2021-317.yaml"}],"affects":[{"ref":"pkg:pypi/pillow@5.4.1","versions":[{"range":"vers:pypi/>=5.2.0|<8.3.2","status":"affected"},{"status":"unaffected","version":"8.3.2"}]}],"analysis":{},"bom-ref":"CVE-2021-23437/pkg:pypi/pillow@5.4.1","cwes":[125,400],"description":"Uncontrolled Resource Consumption in pillow","detail":"# Uncontrolled Resource Consumption in pillow The package pillow 5.2.0 and before 8.3.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the getrgb function. ## Related CVE(s) BIT-pillow-2021-23437, CVE-2021-23437, PYSEC-2021-317, SNYK-PYTHON-PILLOW-1319443","id":"CVE-2021-23437","properties":[{"name":"depscan:prioritized","value":"false"}],"published":"2021-09-07T23:08:10","ratings":[{"method":"CVSSv31","score":7.5,"severity":"high","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"recommendation":"Update to version 8.3.2 to resolve CVE-2021-23437 or update to version 10.3.0 to resolve additional vulnerabilities for this package.","references":[{"id":"fedoraproject-msg-VKRCL7KKAKOXCVD7M6WC5OKFGL4L3SJT","source":{"name":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VKRCL7KKAKOXCVD7M6WC5OKFGL4L3SJT"}},{"id":"glsa-202211-10","source":{"name":"Gentoo Advisory","url":"https://security.gentoo.org/glsa/202211-10"}},{"id":"fedoraproject-msg-VKRCL7KKAKOXCVD7M6WC5OKFGL4L3SJT","source":{"name":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VKRCL7KKAKOXCVD7M6WC5OKFGL4L3SJT"}},{"id":"fedoraproject-msg-RNSG6VFXTAROGF7ACYLMAZNQV4EJ6I2C","source":{"name":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RNSG6VFXTAROGF7ACYLMAZNQV4EJ6I2C"}},{"id":"SNYK-PYTHON-PILLOW-1319443","source":{"name":"Snyk Advisory","url":"https://snyk.io/vuln/SNYK-PYTHON-PILLOW-1319443"}},{"id":"debian-msg-msg00021","source":{"name":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2024/03/msg00021.html"}},{"id":"GHSA-98vv-pw6r-q6q4","source":{"name":"GitHub Advisory","url":"https://github.com/advisories/GHSA-98vv-pw6r-q6q4"}},{"id":"CVE-2021-23437","source":{"name":"NVD","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-23437"}},{"id":"fedoraproject-msg-RNSG6VFXTAROGF7ACYLMAZNQV4EJ6I2C","source":{"name":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RNSG6VFXTAROGF7ACYLMAZNQV4EJ6I2C"}},{"id":"PYSEC-2021-317","source":{"name":"GitHub Advisory","url":"https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2021-317.yaml"}}],"source":{"name":"NVD","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-23437"},"updated":"2024-10-09T21:08:55"},{"advisories":[{"title":"GitHub Advisory GHSA-9hx2-hgq2-2g4f","url":"https://github.com/advisories/GHSA-9hx2-hgq2-2g4f"},{"title":"GitHub Advisory PYSEC-2021-38","url":"https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2021-38.yaml"},{"title":"CVE-2021-25292","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-25292"},{"title":"Gentoo Advisory glsa-202107-33","url":"https://security.gentoo.org/glsa/202107-33"}],"affects":[{"ref":"pkg:pypi/pillow@5.4.1","versions":[{"range":"vers:pypi/>=5.1.0|<8.1.1","status":"affected"},{"status":"unaffected","version":"8.1.1"}]}],"analysis":{},"bom-ref":"CVE-2021-25292/pkg:pypi/pillow@5.4.1","cwes":[400],"description":"Regular Expression Denial of Service (ReDoS) in Pillow","detail":"# Regular Expression Denial of Service (ReDoS) in Pillow An issue was discovered in Pillow before 8.1.1. The PDF parser allows a regular expression DoS (ReDoS) attack via a crafted PDF file because of a catastrophic backtracking regex. ## Related CVE(s) BIT-pillow-2021-25292, CVE-2021-25292, PYSEC-2021-38","id":"CVE-2021-25292","properties":[{"name":"depscan:prioritized","value":"false"}],"published":"2021-03-29T16:35:46","ratings":[{"method":"CVSSv31","score":6.5,"severity":"medium","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"}],"recommendation":"Update to version 8.1.1 to resolve CVE-2021-25292 or update to version 10.3.0 to resolve additional vulnerabilities for this package.","references":[{"id":"GHSA-9hx2-hgq2-2g4f","source":{"name":"GitHub Advisory","url":"https://github.com/advisories/GHSA-9hx2-hgq2-2g4f"}},{"id":"PYSEC-2021-38","source":{"name":"GitHub Advisory","url":"https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2021-38.yaml"}},{"id":"CVE-2021-25292","source":{"name":"NVD","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-25292"}},{"id":"glsa-202107-33","source":{"name":"Gentoo Advisory","url":"https://security.gentoo.org/glsa/202107-33"}}],"source":{"name":"NVD","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-25292"},"updated":"2024-10-09T21:24:57"},{"advisories":[{"title":"GitHub Advisory GHSA-9j59-75qj-795w","url":"https://github.com/advisories/GHSA-9j59-75qj-795w"},{"title":"Gentoo Advisory glsa-202211-10","url":"https://security.gentoo.org/glsa/202211-10"},{"title":"CVE-2022-24303","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24303"},{"title":"GitHub Advisory PYSEC-2022-168","url":"https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2022-168.yaml"}],"affects":[{"ref":"pkg:pypi/pillow@5.4.1","versions":[{"range":"vers:pypi/>=1.0|<=9.0.0","status":"affected"},{"status":"unaffected","version":"9.0.1"}]}],"analysis":{},"bom-ref":"CVE-2022-24303/pkg:pypi/pillow@5.4.1","cwes":[22],"description":"Path traversal in Pillow","detail":"# Path traversal in Pillow Pillow before 9.0.1 allows attackers to delete files because spaces in temporary pathnames are mishandled. ## Related CVE(s) BIT-pillow-2022-24303, CVE-2022-24303, PYSEC-2022-168","id":"CVE-2022-24303","properties":[{"name":"depscan:prioritized","value":"false"}],"published":"2022-03-11T23:10:32","ratings":[{"method":"CVSSv31","score":9.1,"severity":"critical","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H"}],"recommendation":"Update to version 9.0.1 to resolve CVE-2022-24303 or update to version 10.3.0 to resolve additional vulnerabilities for this package.","references":[{"id":"fedoraproject-msg-W4ZUXPKEX72O3E5IHBPVY5ZCPMJ4GHHV","source":{"name":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W4ZUXPKEX72O3E5IHBPVY5ZCPMJ4GHHV"}},{"id":"GHSA-9j59-75qj-795w","source":{"name":"GitHub Advisory","url":"https://github.com/advisories/GHSA-9j59-75qj-795w"}},{"id":"glsa-202211-10","source":{"name":"Gentoo Advisory","url":"https://security.gentoo.org/glsa/202211-10"}},{"id":"CVE-2022-24303","source":{"name":"NVD","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24303"}},{"id":"fedoraproject-msg-XR6UP2XONXOVXI4446VY72R63YRO2YTP","source":{"name":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XR6UP2XONXOVXI4446VY72R63YRO2YTP"}},{"id":"PYSEC-2022-168","source":{"name":"GitHub Advisory","url":"https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2022-168.yaml"}}],"source":{"name":"NVD","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24303"},"updated":"2024-10-14T18:43:28"},{"advisories":[{"title":"CVE-2020-10177","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-10177"},{"title":"GitHub Advisory GHSA-cqhg-xjhh-p8hf","url":"https://github.com/advisories/GHSA-cqhg-xjhh-p8hf"},{"title":"GitHub Advisory PYSEC-2020-76","url":"https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2020-76.yaml"},{"title":"Snyk Advisory SNYK-PYTHON-PILLOW-574573","url":"https://snyk.io/vuln/SNYK-PYTHON-PILLOW-574573"}],"affects":[{"ref":"pkg:pypi/pillow@5.4.1","versions":[{"range":"vers:pypi/>=1.0|<=7.0.0","status":"affected"},{"status":"unaffected","version":"7.1.0"}]}],"analysis":{},"bom-ref":"CVE-2020-10177/pkg:pypi/pillow@5.4.1","cwes":[125],"description":"Out-of-bounds reads in Pillow","detail":"# Out-of-bounds reads in Pillow Pillow before 7.1.0 has multiple out-of-bounds reads in `libImaging/FliDecode.c`. ## Related CVE(s) BIT-pillow-2020-10177, CVE-2020-10177, PYSEC-2020-76","id":"CVE-2020-10177","properties":[{"name":"depscan:prioritized","value":"false"}],"published":"2020-07-27T21:52:43","ratings":[{"method":"CVSSv31","score":5.5,"severity":"medium","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"}],"recommendation":"Update to version 7.1.0 to resolve CVE-2020-10177 or update to version 10.3.0 to resolve additional vulnerabilities for this package.","references":[{"id":"CVE-2020-10177","source":{"name":"NVD","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-10177"}},{"id":"debian-msg-msg00012","source":{"name":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2020/08/msg00012.html"}},{"id":"GHSA-cqhg-xjhh-p8hf","source":{"name":"GitHub Advisory","url":"https://github.com/advisories/GHSA-cqhg-xjhh-p8hf"}},{"id":"fedoraproject-msg-HOKHNWV2VS5GESY7IBD237E7C6T3I427","source":{"name":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HOKHNWV2VS5GESY7IBD237E7C6T3I427"}},{"id":"PYSEC-2020-76","source":{"name":"GitHub Advisory","url":"https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2020-76.yaml"}},{"id":"SNYK-PYTHON-PILLOW-574573","source":{"name":"Snyk Advisory","url":"https://snyk.io/vuln/SNYK-PYTHON-PILLOW-574573"}},{"id":"fedoraproject-msg-BEBCPE4F2VHTIT6EZA2YZQZLPVDEBJGD","source":{"name":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BEBCPE4F2VHTIT6EZA2YZQZLPVDEBJGD"}}],"source":{"name":"NVD","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-10177"},"updated":"2024-10-09T21:26:00"},{"advisories":[{"title":"GitHub Advisory GHSA-f4w8-cv6p-x6r5","url":"https://github.com/advisories/GHSA-f4w8-cv6p-x6r5"},{"title":"CVE-2021-27921","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-27921"},{"title":"GitHub Advisory PYSEC-2021-40","url":"https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2021-40.yaml"},{"title":"Gentoo Advisory glsa-202107-33","url":"https://security.gentoo.org/glsa/202107-33"}],"affects":[{"ref":"pkg:pypi/pillow@5.4.1","versions":[{"range":"vers:pypi/>=1.0|<=8.1.0","status":"affected"},{"status":"unaffected","version":"8.1.1"}]}],"analysis":{},"bom-ref":"CVE-2021-27921/pkg:pypi/pillow@5.4.1","cwes":[400],"description":"Pillow Denial of Service by Uncontrolled Resource Consumption","detail":"# Pillow Denial of Service by Uncontrolled Resource Consumption Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for a BLP container, and thus an attempted memory allocation can be very large. ## Related CVE(s) BIT-pillow-2021-27921, CVE-2021-27921, PYSEC-2021-40","id":"CVE-2021-27921","properties":[{"name":"depscan:prioritized","value":"false"}],"published":"2021-03-18T19:55:13","ratings":[{"method":"CVSSv31","score":7.5,"severity":"high","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"recommendation":"Update to version 8.1.1 to resolve CVE-2021-27921 or update to version 10.3.0 to resolve additional vulnerabilities for this package.","references":[{"id":"fedoraproject-msg-TQQY6472RX4J2SUJENWDZAWKTJJGP2ML","source":{"name":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TQQY6472RX4J2SUJENWDZAWKTJJGP2ML"}},{"id":"GHSA-f4w8-cv6p-x6r5","source":{"name":"GitHub Advisory","url":"https://github.com/advisories/GHSA-f4w8-cv6p-x6r5"}},{"id":"CVE-2021-27921","source":{"name":"NVD","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-27921"}},{"id":"fedoraproject-msg-ZTSY25UJU7NJUFHH3HWT575LT4TDFWBZ","source":{"name":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZTSY25UJU7NJUFHH3HWT575LT4TDFWBZ"}},{"id":"PYSEC-2021-40","source":{"name":"GitHub Advisory","url":"https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2021-40.yaml"}},{"id":"glsa-202107-33","source":{"name":"Gentoo Advisory","url":"https://security.gentoo.org/glsa/202107-33"}},{"id":"fedoraproject-msg-S7G44Z33J4BNI2DPDROHWGVG2U7ZH5JU","source":{"name":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S7G44Z33J4BNI2DPDROHWGVG2U7ZH5JU"}}],"source":{"name":"NVD","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-27921"},"updated":"2024-10-08T13:23:01"},{"advisories":[{"title":"GitHub Advisory PYSEC-2021-69","url":"https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2021-69.yaml"},{"title":"GitHub Advisory GHSA-f5g8-5qq7-938w","url":"https://github.com/advisories/GHSA-f5g8-5qq7-938w"},{"title":"CVE-2020-35653","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-35653"}],"affects":[{"ref":"pkg:pypi/pillow@5.4.1","versions":[{"range":"vers:pypi/>=1.0|<=8.0.1","status":"affected"},{"status":"unaffected","version":"8.1.0"}]}],"analysis":{},"bom-ref":"CVE-2020-35653/pkg:pypi/pillow@5.4.1","cwes":[125],"description":"Pillow Out-of-bounds Read","detail":"# Pillow Out-of-bounds Read In Pillow before 8.1.0, PcxDecode has a buffer over-read when decoding a crafted PCX file because the user-supplied stride value is trusted for buffer calculations. ## Related CVE(s) BIT-pillow-2020-35653, CVE-2020-35653, PYSEC-2021-69","id":"CVE-2020-35653","properties":[{"name":"depscan:prioritized","value":"false"}],"published":"2021-03-18T19:55:41","ratings":[{"method":"CVSSv31","score":7.1,"severity":"high","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H"}],"recommendation":"Update to version 8.1.0 to resolve CVE-2020-35653 or update to version 10.3.0 to resolve additional vulnerabilities for this package.","references":[{"id":"fedoraproject-msg-BF553AMNNNBW7SH4IM4MNE4M6GNZQ7YD","source":{"name":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BF553AMNNNBW7SH4IM4MNE4M6GNZQ7YD"}},{"id":"PYSEC-2021-69","source":{"name":"GitHub Advisory","url":"https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2021-69.yaml"}},{"id":"fedoraproject-msg-6BYVI5G44MRIPERKYDQEL3S3YQCZTVHE","source":{"name":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6BYVI5G44MRIPERKYDQEL3S3YQCZTVHE"}},{"id":"debian-msg-msg00018","source":{"name":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2021/07/msg00018.html"}},{"id":"GHSA-f5g8-5qq7-938w","source":{"name":"GitHub Advisory","url":"https://github.com/advisories/GHSA-f5g8-5qq7-938w"}},{"id":"CVE-2020-35653","source":{"name":"NVD","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-35653"}}],"source":{"name":"NVD","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-35653"},"updated":"2024-10-08T13:22:43"},{"advisories":[{"title":"CVE-2021-28675","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-28675"},{"title":"GitHub Advisory GHSA-g6rj-rv7j-xwp4","url":"https://github.com/advisories/GHSA-g6rj-rv7j-xwp4"},{"title":"Gentoo Advisory glsa-202107-33","url":"https://security.gentoo.org/glsa/202107-33"},{"title":"GitHub Advisory PYSEC-2021-139","url":"https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2021-139.yaml"}],"affects":[{"ref":"pkg:pypi/pillow@5.4.1","versions":[{"range":"vers:pypi/>=1.0|<=8.1.2","status":"affected"},{"status":"unaffected","version":"8.2.0"}]}],"analysis":{},"bom-ref":"CVE-2021-28675/pkg:pypi/pillow@5.4.1","cwes":[233,252],"description":"Pillow denial of service","detail":"# Pillow denial of service An issue was discovered in Pillow before 8.2.0. `PSDImagePlugin.PsdImageFile` lacked a sanity check on the number of input layers relative to the size of the data block. This could lead to a DoS on `Image.open` prior to `Image.load`. ## Related CVE(s) BIT-pillow-2021-28675, CVE-2021-28675, PYSEC-2021-139","id":"CVE-2021-28675","properties":[{"name":"depscan:prioritized","value":"false"}],"published":"2021-06-08T18:49:11","ratings":[{"method":"CVSSv31","score":5.5,"severity":"medium","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"}],"recommendation":"Update to version 8.2.0 to resolve CVE-2021-28675 or update to version 10.3.0 to resolve additional vulnerabilities for this package.","references":[{"id":"CVE-2021-28675","source":{"name":"NVD","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-28675"}},{"id":"GHSA-g6rj-rv7j-xwp4","source":{"name":"GitHub Advisory","url":"https://github.com/advisories/GHSA-g6rj-rv7j-xwp4"}},{"id":"glsa-202107-33","source":{"name":"Gentoo Advisory","url":"https://security.gentoo.org/glsa/202107-33"}},{"id":"PYSEC-2021-139","source":{"name":"GitHub Advisory","url":"https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2021-139.yaml"}},{"id":"fedoraproject-msg-MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL","source":{"name":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL"}}],"source":{"name":"NVD","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-28675"},"updated":"2024-10-09T20:23:47"},{"advisories":[{"title":"GitHub Advisory PYSEC-2021-71","url":"https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2021-71.yaml"},{"title":"GitHub Advisory GHSA-hf64-x4gq-p99h","url":"https://github.com/advisories/GHSA-hf64-x4gq-p99h"},{"title":"CVE-2020-35655","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-35655"}],"affects":[{"ref":"pkg:pypi/pillow@5.4.1","versions":[{"range":"vers:pypi/>=4.3.0|<8.1.0","status":"affected"},{"status":"unaffected","version":"8.1.0"}]}],"analysis":{},"bom-ref":"CVE-2020-35655/pkg:pypi/pillow@5.4.1","cwes":[125],"description":"Pillow Out-of-bounds Read","detail":"# Pillow Out-of-bounds Read In Pillow before 8.1.0, SGIRleDecode has a 4-byte buffer over-read when decoding crafted SGI RLE image files because offsets and length tables are mishandled. ## Related CVE(s) BIT-pillow-2020-35655, CVE-2020-35655, PYSEC-2021-71","id":"CVE-2020-35655","properties":[{"name":"depscan:prioritized","value":"false"}],"published":"2021-03-18T19:55:34","ratings":[{"method":"CVSSv31","score":5.4,"severity":"medium","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L"}],"recommendation":"Update to version 8.1.0 to resolve CVE-2020-35655 or update to version 10.3.0 to resolve additional vulnerabilities for this package.","references":[{"id":"fedoraproject-msg-BF553AMNNNBW7SH4IM4MNE4M6GNZQ7YD","source":{"name":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BF553AMNNNBW7SH4IM4MNE4M6GNZQ7YD"}},{"id":"fedoraproject-msg-6BYVI5G44MRIPERKYDQEL3S3YQCZTVHE","source":{"name":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6BYVI5G44MRIPERKYDQEL3S3YQCZTVHE"}},{"id":"PYSEC-2021-71","source":{"name":"GitHub Advisory","url":"https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2021-71.yaml"}},{"id":"GHSA-hf64-x4gq-p99h","source":{"name":"GitHub Advisory","url":"https://github.com/advisories/GHSA-hf64-x4gq-p99h"}},{"id":"CVE-2020-35655","source":{"name":"NVD","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-35655"}}],"source":{"name":"NVD","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-35655"},"updated":"2024-10-08T13:23:04"},{"advisories":[{"title":"CVE-2020-5313","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-5313"},{"title":"Debian Advisory dsa-4631","url":"https://www.debian.org/security/2020/dsa-4631"},{"title":"GitHub Advisory PYSEC-2020-84","url":"https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2020-84.yaml"},{"title":"GitHub Advisory GHSA-hj69-c76v-86wr","url":"https://github.com/advisories/GHSA-hj69-c76v-86wr"}],"affects":[{"ref":"pkg:pypi/pillow@5.4.1","versions":[{"range":"vers:pypi/>=1.0|<=6.2.1","status":"affected"},{"status":"unaffected","version":"6.2.2"}]}],"analysis":{},"bom-ref":"CVE-2020-5313/pkg:pypi/pillow@5.4.1","cwes":[125],"description":"Out-of-bounds Read in Pillow","detail":"# Out-of-bounds Read in Pillow `libImaging/FliDecode.c` in Pillow before 6.2.2 has an FLI buffer overflow. ## Related CVE(s) BIT-pillow-2020-5313, CVE-2020-5313, PYSEC-2020-84","id":"CVE-2020-5313","properties":[{"name":"depscan:prioritized","value":"false"}],"published":"2020-04-01T16:36:00","ratings":[{"method":"CVSSv31","score":7.1,"severity":"high","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H"}],"recommendation":"Update to version 6.2.2 to resolve CVE-2020-5313 or update to version 10.3.0 to resolve additional vulnerabilities for this package.","references":[{"id":"CVE-2020-5313","source":{"name":"NVD","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-5313"}},{"id":"dsa-4631","source":{"name":"Debian Advisory","url":"https://www.debian.org/security/2020/dsa-4631"}},{"id":"fedoraproject-msg-2MMU3WT2X64GS5WHDPKKC2WZA7UIIQ3A","source":{"name":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2MMU3WT2X64GS5WHDPKKC2WZA7UIIQ3A"}},{"id":"PYSEC-2020-84","source":{"name":"GitHub Advisory","url":"https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2020-84.yaml"}},{"id":"fedoraproject-msg-3DUMIBUYGJRAVJCTFUWBRLVQKOUTVX5P","source":{"name":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3DUMIBUYGJRAVJCTFUWBRLVQKOUTVX5P"}},{"id":"GHSA-hj69-c76v-86wr","source":{"name":"GitHub Advisory","url":"https://github.com/advisories/GHSA-hj69-c76v-86wr"}}],"source":{"name":"NVD","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-5313"},"updated":"2024-10-08T13:02:51"},{"advisories":[{"title":"CVE-2021-28678","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-28678"},{"title":"GitHub Advisory PYSEC-2021-94","url":"https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2021-94.yaml"},{"title":"GitHub Advisory GHSA-hjfx-8p6c-g7gx","url":"https://github.com/advisories/GHSA-hjfx-8p6c-g7gx"},{"title":"Gentoo Advisory glsa-202107-33","url":"https://security.gentoo.org/glsa/202107-33"}],"affects":[{"ref":"pkg:pypi/pillow@5.4.1","versions":[{"range":"vers:pypi/>=5.1.0|<8.2.0","status":"affected"},{"status":"unaffected","version":"8.2.0"}]}],"analysis":{},"bom-ref":"CVE-2021-28678/pkg:pypi/pillow@5.4.1","cwes":[345],"description":"Insufficient Verification of Data Authenticity in Pillow","detail":"# Insufficient Verification of Data Authenticity in Pillow An issue was discovered in Pillow before 8.2.0. For BLP data, BlpImagePlugin did not properly check that reads (after jumping to file offsets) returned data. This could lead to a DoS where the decoder could be run a large number of times on empty data. ## Related CVE(s) BIT-pillow-2021-28678, CVE-2021-28678, PYSEC-2021-94","id":"CVE-2021-28678","properties":[{"name":"depscan:prioritized","value":"false"}],"published":"2021-06-08T18:49:20","ratings":[{"method":"CVSSv31","score":5.5,"severity":"medium","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"}],"recommendation":"Update to version 8.2.0 to resolve CVE-2021-28678 or update to version 10.3.0 to resolve additional vulnerabilities for this package.","references":[{"id":"CVE-2021-28678","source":{"name":"NVD","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-28678"}},{"id":"PYSEC-2021-94","source":{"name":"GitHub Advisory","url":"https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2021-94.yaml"}},{"id":"GHSA-hjfx-8p6c-g7gx","source":{"name":"GitHub Advisory","url":"https://github.com/advisories/GHSA-hjfx-8p6c-g7gx"}},{"id":"glsa-202107-33","source":{"name":"Gentoo Advisory","url":"https://security.gentoo.org/glsa/202107-33"}},{"id":"fedoraproject-msg-MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL","source":{"name":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL"}}],"source":{"name":"NVD","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-28678"},"updated":"2024-10-14T21:48:01"},{"advisories":[{"title":"Debian Advisory dsa-4631","url":"https://www.debian.org/security/2020/dsa-4631"},{"title":"GitHub Advisory PYSEC-2019-110","url":"https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2019-110.yaml"},{"title":"Red Hat Advisory RHSA-2020:0694","url":"https://access.redhat.com/errata/RHSA-2020:0694"},{"title":"Red Hat Advisory RHSA-2020:0566","url":"https://access.redhat.com/errata/RHSA-2020:0566"},{"title":"GitHub Advisory GHSA-j7mj-748x-7p78","url":"https://github.com/advisories/GHSA-j7mj-748x-7p78"},{"title":"Red Hat Advisory RHSA-2020:0683","url":"https://access.redhat.com/errata/RHSA-2020:0683"},{"title":"Ubuntu Advisory USN-4272-1","url":"https://ubuntu.com/security/notices/USN-4272-1"},{"title":"Red Hat Advisory RHSA-2020:0681","url":"https://access.redhat.com/errata/RHSA-2020:0681"},{"title":"Red Hat Advisory RHSA-2020:0578","url":"https://access.redhat.com/errata/RHSA-2020:0578"},{"title":"CVE-2019-16865","url":"https://nvd.nist.gov/vuln/detail/CVE-2019-16865"},{"title":"Red Hat Advisory RHSA-2020:0580","url":"https://access.redhat.com/errata/RHSA-2020:0580"}],"affects":[{"ref":"pkg:pypi/pillow@5.4.1","versions":[{"range":"vers:pypi/>=1.0|<=6.1.0","status":"affected"},{"status":"unaffected","version":"6.2.0"}]}],"analysis":{},"bom-ref":"CVE-2019-16865/pkg:pypi/pillow@5.4.1","cwes":[770],"description":"DOS attack in Pillow when processing specially crafted image files","detail":"# DOS attack in Pillow when processing specially crafted image files An issue was discovered in Pillow before 6.2.0. When reading specially crafted invalid image files, the library can either allocate very large amounts of memory or take an extremely long period of time to process the image. ## Related CVE(s) CVE-2019-16865, PYSEC-2019-110","id":"CVE-2019-16865","properties":[{"name":"depscan:prioritized","value":"false"}],"published":"2019-10-22T14:40:42","ratings":[{"method":"CVSSv31","score":7.5,"severity":"high","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"recommendation":"Update to version 6.2.0 to resolve CVE-2019-16865 or update to version 10.3.0 to resolve additional vulnerabilities for this package.","references":[{"id":"dsa-4631","source":{"name":"Debian Advisory","url":"https://www.debian.org/security/2020/dsa-4631"}},{"id":"fedoraproject-msg-EMJBUZQGQ2Q7HXYCQVRLU7OXNC7CAWWU","source":{"name":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EMJBUZQGQ2Q7HXYCQVRLU7OXNC7CAWWU"}},{"id":"PYSEC-2019-110","source":{"name":"GitHub Advisory","url":"https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2019-110.yaml"}},{"id":"RHSA-2020:0694","source":{"name":"Red Hat Advisory","url":"https://access.redhat.com/errata/RHSA-2020:0694"}},{"id":"RHSA-2020:0566","source":{"name":"Red Hat Advisory","url":"https://access.redhat.com/errata/RHSA-2020:0566"}},{"id":"GHSA-j7mj-748x-7p78","source":{"name":"GitHub Advisory","url":"https://github.com/advisories/GHSA-j7mj-748x-7p78"}},{"id":"RHSA-2020:0683","source":{"name":"Red Hat Advisory","url":"https://access.redhat.com/errata/RHSA-2020:0683"}},{"id":"USN-4272-1","source":{"name":"Ubuntu Advisory","url":"https://ubuntu.com/security/notices/USN-4272-1"}},{"id":"RHSA-2020:0681","source":{"name":"Red Hat Advisory","url":"https://access.redhat.com/errata/RHSA-2020:0681"}},{"id":"fedoraproject-msg-LYDXD7EE4YAEVSTNIFZKNVPRVJX5ZOG3","source":{"name":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYDXD7EE4YAEVSTNIFZKNVPRVJX5ZOG3"}},{"id":"RHSA-2020:0578","source":{"name":"Red Hat Advisory","url":"https://access.redhat.com/errata/RHSA-2020:0578"}},{"id":"CVE-2019-16865","source":{"name":"NVD","url":"https://nvd.nist.gov/vuln/detail/CVE-2019-16865"}},{"id":"RHSA-2020:0580","source":{"name":"Red Hat Advisory","url":"https://access.redhat.com/errata/RHSA-2020:0580"}}],"source":{"name":"NVD","url":"https://nvd.nist.gov/vuln/detail/CVE-2019-16865"},"updated":"2024-10-09T21:24:53"},{"advisories":[{"title":"GitHub Advisory GHSA-jgpv-4h4c-xhw3","url":"https://github.com/calix2/pyVulApp/security/advisories/GHSA-jgpv-4h4c-xhw3"}],"affects":[{"ref":"pkg:pypi/pillow@5.4.1","versions":[{"range":"vers:pypi/>=1.0|<=8.1.1","status":"affected"},{"status":"unaffected","version":"8.1.1"}]}],"analysis":{},"bom-ref":"GHSA-jgpv-4h4c-xhw3/pkg:pypi/pillow@5.4.1","cwes":[400],"description":"Uncontrolled Resource Consumption in pillow","detail":"# Uncontrolled Resource Consumption in pillow ### Impact _Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for a BLP container, and thus an attempted memory allocation can be very large._ ### Patches _An issue was discovered in Pillow before 6.2.0. When reading specially crafted invalid image files, the library can either allocate very large amounts of memory or take an extremely long period of time to process the image._ ### Workarounds _An issue was discovered in Pillow before 6.2.0. When reading specially crafted invalid image files, the library can either allocate very large amounts of memory or take an extremely long period of time to process the image._ ### References https://nvd.nist.gov/vuln/detail/CVE-2021-27921 ### For more information If you have any questions or comments about this advisory: * Open an issue in [example link to repo](http://example.com) * Email us at [example email address](mailto:example@example.com)","id":"GHSA-jgpv-4h4c-xhw3","properties":[{"name":"depscan:prioritized","value":"false"}],"published":"2021-04-23T16:54:36","ratings":[{"method":"CVSSv31","score":7.5,"severity":"high","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"recommendation":"Update to version 8.1.1 to resolve GHSA-jgpv-4h4c-xhw3 or update to version 10.3.0 to resolve additional vulnerabilities for this package.","references":[{"id":"GHSA-jgpv-4h4c-xhw3","source":{"name":"GitHub Advisory","url":"https://github.com/calix2/pyVulApp/security/advisories/GHSA-jgpv-4h4c-xhw3"}}],"source":{"name":"GitHub Advisory","url":"https://github.com/calix2/pyVulApp/security/advisories/GHSA-jgpv-4h4c-xhw3"},"updated":"2023-04-11T01:45:01"},{"advisories":[{"title":"CVE-2022-45198","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-45198"},{"title":"GitHub Advisory PYSEC-2022-42979","url":"https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2022-42979.yaml"},{"title":"Gentoo Advisory glsa-202211-10","url":"https://security.gentoo.org/glsa/202211-10"}],"affects":[{"ref":"pkg:pypi/pillow@5.4.1","versions":[{"range":"vers:pypi/>=1.0|<=9.1.1","status":"affected"},{"status":"unaffected","version":"9.2.0"}]}],"analysis":{},"bom-ref":"CVE-2022-45198/pkg:pypi/pillow@5.4.1","cwes":[409],"description":"Pillow vulnerable to Data Amplification attack.","detail":"# Pillow vulnerable to Data Amplification attack. Pillow before 9.2.0 performs Improper Handling of Highly Compressed GIF Data (Data Amplification). ## Related CVE(s) BIT-pillow-2022-45198, CVE-2022-45198, PYSEC-2022-42979","id":"CVE-2022-45198","properties":[{"name":"depscan:prioritized","value":"false"}],"published":"2022-11-14T12:00:15","ratings":[{"method":"CVSSv31","score":7.5,"severity":"high","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"recommendation":"Update to version 9.2.0 to resolve CVE-2022-45198 or update to version 10.3.0 to resolve additional vulnerabilities for this package.","references":[{"id":"CVE-2022-45198","source":{"name":"NVD","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-45198"}},{"id":"PYSEC-2022-42979","source":{"name":"GitHub Advisory","url":"https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2022-42979.yaml"}},{"id":"glsa-202211-10","source":{"name":"Gentoo Advisory","url":"https://security.gentoo.org/glsa/202211-10"}}],"source":{"name":"NVD","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-45198"},"updated":"2024-10-14T18:39:06"},{"advisories":[{"title":"GitHub Advisory GHSA-mvg9-xffr-p774","url":"https://github.com/advisories/GHSA-mvg9-xffr-p774"},{"title":"GitHub Advisory PYSEC-2021-37","url":"https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2021-37.yaml"},{"title":"CVE-2021-25291","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-25291"},{"title":"Gentoo Advisory glsa-202107-33","url":"https://security.gentoo.org/glsa/202107-33"}],"affects":[{"ref":"pkg:pypi/pillow@5.4.1","versions":[{"range":"vers:pypi/>=1.0|<=8.1.2","status":"affected"},{"status":"unaffected","version":"8.2.0"}]}],"analysis":{},"bom-ref":"CVE-2021-25291/pkg:pypi/pillow@5.4.1","cwes":[125],"description":"Out of bounds read in Pillow","detail":"# Out of bounds read in Pillow An issue was discovered in Pillow before 8.2.0. In `TiffDecode.c`, there is an out-of-bounds read in `TiffreadRGBATile` via invalid tile boundaries. ## Related CVE(s) BIT-pillow-2021-25291, CVE-2021-25291, PYSEC-2021-37","id":"CVE-2021-25291","properties":[{"name":"depscan:prioritized","value":"false"}],"published":"2021-03-29T16:35:57","ratings":[{"method":"CVSSv31","score":7.5,"severity":"high","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"recommendation":"Update to version 8.2.0 to resolve CVE-2021-25291 or update to version 10.3.0 to resolve additional vulnerabilities for this package.","references":[{"id":"GHSA-mvg9-xffr-p774","source":{"name":"GitHub Advisory","url":"https://github.com/advisories/GHSA-mvg9-xffr-p774"}},{"id":"PYSEC-2021-37","source":{"name":"GitHub Advisory","url":"https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2021-37.yaml"}},{"id":"CVE-2021-25291","source":{"name":"NVD","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-25291"}},{"id":"glsa-202107-33","source":{"name":"Gentoo Advisory","url":"https://security.gentoo.org/glsa/202107-33"}}],"source":{"name":"NVD","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-25291"},"updated":"2024-10-09T21:25:39"},{"advisories":[{"title":"CVE-2021-25293","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-25293"},{"title":"GitHub Advisory GHSA-p43w-g3c5-g5mq","url":"https://github.com/advisories/GHSA-p43w-g3c5-g5mq"},{"title":"GitHub Advisory PYSEC-2021-39","url":"https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2021-39.yaml"},{"title":"Gentoo Advisory glsa-202107-33","url":"https://security.gentoo.org/glsa/202107-33"}],"affects":[{"ref":"pkg:pypi/pillow@5.4.1","versions":[{"range":"vers:pypi/>=4.3.0|<8.1.1","status":"affected"},{"status":"unaffected","version":"8.1.1"}]}],"analysis":{},"bom-ref":"CVE-2021-25293/pkg:pypi/pillow@5.4.1","cwes":[125],"description":"Out of bounds read in Pillow","detail":"# Out of bounds read in Pillow An issue was discovered in Pillow before 8.1.1. There is an out-of-bounds read in SGIRleDecode.c. ## Related CVE(s) BIT-pillow-2021-25293, CVE-2021-25293, PYSEC-2021-39","id":"CVE-2021-25293","properties":[{"name":"depscan:prioritized","value":"false"}],"published":"2021-03-29T16:35:27","ratings":[{"method":"CVSSv31","score":7.5,"severity":"high","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"recommendation":"Update to version 8.1.1 to resolve CVE-2021-25293 or update to version 10.3.0 to resolve additional vulnerabilities for this package.","references":[{"id":"CVE-2021-25293","source":{"name":"NVD","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-25293"}},{"id":"GHSA-p43w-g3c5-g5mq","source":{"name":"GitHub Advisory","url":"https://github.com/advisories/GHSA-p43w-g3c5-g5mq"}},{"id":"PYSEC-2021-39","source":{"name":"GitHub Advisory","url":"https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2021-39.yaml"}},{"id":"glsa-202107-33","source":{"name":"Gentoo Advisory","url":"https://security.gentoo.org/glsa/202107-33"}}],"source":{"name":"NVD","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-25293"},"updated":"2024-10-09T20:24:39"},{"advisories":[{"title":"Debian Advisory dsa-4631","url":"https://www.debian.org/security/2020/dsa-4631"},{"title":"Red Hat Advisory RHSA-2020:0694","url":"https://access.redhat.com/errata/RHSA-2020:0694"},{"title":"GitHub Advisory GHSA-p49h-hjvm-jg3h","url":"https://github.com/advisories/GHSA-p49h-hjvm-jg3h"},{"title":"Red Hat Advisory RHSA-2020:0566","url":"https://access.redhat.com/errata/RHSA-2020:0566"},{"title":"Red Hat Advisory RHSA-2020:0683","url":"https://access.redhat.com/errata/RHSA-2020:0683"},{"title":"GitHub Advisory PYSEC-2020-83","url":"https://github.com/pypa/advisory-db/blob/7872b0a91b4d980f749e6d75a81f8cc1af32829f/vulns/pillow/PYSEC-2020-83.yaml"},{"title":"Red Hat Advisory RHSA-2020:0681","url":"https://access.redhat.com/errata/RHSA-2020:0681"},{"title":"GitHub Advisory PYSEC-2020-83","url":"https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2020-83.yaml"},{"title":"Red Hat Advisory RHSA-2020:0578","url":"https://access.redhat.com/errata/RHSA-2020:0578"},{"title":"CVE-2020-5312","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-5312"},{"title":"Red Hat Advisory RHSA-2020:0580","url":"https://access.redhat.com/errata/RHSA-2020:0580"}],"affects":[{"ref":"pkg:pypi/pillow@5.4.1","versions":[{"range":"vers:pypi/>=1.0|<=6.2.1","status":"affected"},{"status":"unaffected","version":"6.2.2"}]}],"analysis":{},"bom-ref":"CVE-2020-5312/pkg:pypi/pillow@5.4.1","cwes":[120],"description":"PCX P mode buffer overflow in Pillow","detail":"# PCX P mode buffer overflow in Pillow libImaging/PcxDecode.c in Pillow before 6.2.2 has a PCX P mode buffer overflow. ## Related CVE(s) BIT-pillow-2020-5312, CVE-2020-5312, PYSEC-2020-83","id":"CVE-2020-5312","properties":[{"name":"depscan:prioritized","value":"false"}],"published":"2021-11-03T18:05:04","ratings":[{"method":"CVSSv31","score":9.8,"severity":"critical","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"recommendation":"Update to version 6.2.2 to resolve CVE-2020-5312 or update to version 10.3.0 to resolve additional vulnerabilities for this package.","references":[{"id":"dsa-4631","source":{"name":"Debian Advisory","url":"https://www.debian.org/security/2020/dsa-4631"}},{"id":"RHSA-2020:0694","source":{"name":"Red Hat Advisory","url":"https://access.redhat.com/errata/RHSA-2020:0694"}},{"id":"GHSA-p49h-hjvm-jg3h","source":{"name":"GitHub Advisory","url":"https://github.com/advisories/GHSA-p49h-hjvm-jg3h"}},{"id":"fedoraproject-msg-2MMU3WT2X64GS5WHDPKKC2WZA7UIIQ3A","source":{"name":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2MMU3WT2X64GS5WHDPKKC2WZA7UIIQ3A"}},{"id":"RHSA-2020:0566","source":{"name":"Red Hat Advisory","url":"https://access.redhat.com/errata/RHSA-2020:0566"}},{"id":"fedoraproject-msg-3DUMIBUYGJRAVJCTFUWBRLVQKOUTVX5P","source":{"name":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3DUMIBUYGJRAVJCTFUWBRLVQKOUTVX5P"}},{"id":"RHSA-2020:0683","source":{"name":"Red Hat Advisory","url":"https://access.redhat.com/errata/RHSA-2020:0683"}},{"id":"PYSEC-2020-83","source":{"name":"GitHub Advisory","url":"https://github.com/pypa/advisory-db/blob/7872b0a91b4d980f749e6d75a81f8cc1af32829f/vulns/pillow/PYSEC-2020-83.yaml"}},{"id":"RHSA-2020:0681","source":{"name":"Red Hat Advisory","url":"https://access.redhat.com/errata/RHSA-2020:0681"}},{"id":"PYSEC-2020-83","source":{"name":"GitHub Advisory","url":"https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2020-83.yaml"}},{"id":"RHSA-2020:0578","source":{"name":"Red Hat Advisory","url":"https://access.redhat.com/errata/RHSA-2020:0578"}},{"id":"CVE-2020-5312","source":{"name":"NVD","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-5312"}},{"id":"RHSA-2020:0580","source":{"name":"Red Hat Advisory","url":"https://access.redhat.com/errata/RHSA-2020:0580"}}],"source":{"name":"NVD","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-5312"},"updated":"2024-10-08T13:23:23"},{"advisories":[{"title":"Debian Advisory dsa-5053","url":"https://www.debian.org/security/2022/dsa-5053"},{"title":"CVE-2022-22815","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-22815"},{"title":"GitHub Advisory GHSA-pw3c-h7wp-cvhx","url":"https://github.com/advisories/GHSA-pw3c-h7wp-cvhx"},{"title":"GitHub Advisory PYSEC-2022-8","url":"https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2022-8.yaml"}],"affects":[{"ref":"pkg:pypi/pillow@5.4.1","versions":[{"range":"vers:pypi/>=1.0|<=8.4.0","status":"affected"},{"status":"unaffected","version":"9.0.0"}]}],"analysis":{},"bom-ref":"CVE-2022-22815/pkg:pypi/pillow@5.4.1","cwes":[665],"description":"Improper Initialization in Pillow","detail":"# Improper Initialization in Pillow Pillow is the friendly PIL (Python Imaging Library) fork. `path_getbbox` in `path.c` in Pillow before 9.0.0 improperly initializes `ImagePath.Path`. ## Related CVE(s) BIT-pillow-2022-22815, CVE-2022-22815, PYSEC-2022-8","id":"CVE-2022-22815","properties":[{"name":"depscan:prioritized","value":"false"}],"published":"2022-01-12T20:07:43","ratings":[{"method":"CVSSv31","score":6.5,"severity":"medium","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L"}],"recommendation":"Update to version 9.0.0 to resolve CVE-2022-22815 or update to version 10.3.0 to resolve additional vulnerabilities for this package.","references":[{"id":"dsa-5053","source":{"name":"Debian Advisory","url":"https://www.debian.org/security/2022/dsa-5053"}},{"id":"CVE-2022-22815","source":{"name":"NVD","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-22815"}},{"id":"GHSA-pw3c-h7wp-cvhx","source":{"name":"GitHub Advisory","url":"https://github.com/advisories/GHSA-pw3c-h7wp-cvhx"}},{"id":"PYSEC-2022-8","source":{"name":"GitHub Advisory","url":"https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2022-8.yaml"}},{"id":"debian-msg-msg00018","source":{"name":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2022/01/msg00018.html"}}],"source":{"name":"NVD","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-22815"},"updated":"2024-10-14T18:38:03"},{"advisories":[{"title":"GitHub Advisory PYSEC-2021-93","url":"https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2021-93.yaml"},{"title":"CVE-2021-28677","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-28677"},{"title":"Gentoo Advisory glsa-202107-33","url":"https://security.gentoo.org/glsa/202107-33"},{"title":"GitHub Advisory GHSA-q5hq-fp76-qmrc","url":"https://github.com/advisories/GHSA-q5hq-fp76-qmrc"}],"affects":[{"ref":"pkg:pypi/pillow@5.4.1","versions":[{"range":"vers:pypi/>=1.0|<=8.1.2","status":"affected"},{"status":"unaffected","version":"8.2.0"}]}],"analysis":{},"bom-ref":"CVE-2021-28677/pkg:pypi/pillow@5.4.1","cwes":[400],"description":"Uncontrolled Resource Consumption in Pillow","detail":"# Uncontrolled Resource Consumption in Pillow An issue was discovered in Pillow before 8.2.0. For EPS data, the readline implementation used in EPSImageFile has to deal with any combination of and as line endings. It used an accidentally quadratic method of accumulating lines while looking for a line ending. A malicious EPS file could use this to perform a DoS of Pillow in the open phase, before an image was accepted for opening. ## Related CVE(s) BIT-pillow-2021-28677, CVE-2021-28677, PYSEC-2021-93","id":"CVE-2021-28677","properties":[{"name":"depscan:prioritized","value":"false"}],"published":"2021-06-08T18:49:36","ratings":[{"method":"CVSSv31","score":7.5,"severity":"high","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"recommendation":"Update to version 8.2.0 to resolve CVE-2021-28677 or update to version 10.3.0 to resolve additional vulnerabilities for this package.","references":[{"id":"debian-msg-msg00018","source":{"name":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2021/07/msg00018.html"}},{"id":"PYSEC-2021-93","source":{"name":"GitHub Advisory","url":"https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2021-93.yaml"}},{"id":"CVE-2021-28677","source":{"name":"NVD","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-28677"}},{"id":"glsa-202107-33","source":{"name":"Gentoo Advisory","url":"https://security.gentoo.org/glsa/202107-33"}},{"id":"GHSA-q5hq-fp76-qmrc","source":{"name":"GitHub Advisory","url":"https://github.com/advisories/GHSA-q5hq-fp76-qmrc"}},{"id":"fedoraproject-msg-MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL","source":{"name":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL"}}],"source":{"name":"NVD","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-28677"},"updated":"2024-10-14T21:48:17"},{"advisories":[{"title":"GitHub Advisory GHSA-r7rm-8j6h-r933","url":"https://github.com/advisories/GHSA-r7rm-8j6h-r933"},{"title":"CVE-2020-5311","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-5311"},{"title":"Debian Advisory dsa-4631","url":"https://www.debian.org/security/2020/dsa-4631"},{"title":"Red Hat Advisory RHSA-2020:0566","url":"https://access.redhat.com/errata/RHSA-2020:0566"},{"title":"Red Hat Advisory RHSA-2020:0580","url":"https://access.redhat.com/errata/RHSA-2020:0580"},{"title":"GitHub Advisory PYSEC-2020-82","url":"https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2020-82.yaml"}],"affects":[{"ref":"pkg:pypi/pillow@5.4.1","versions":[{"range":"vers:pypi/>=1.0|<=6.2.1","status":"affected"},{"status":"unaffected","version":"6.2.2"}]}],"analysis":{},"bom-ref":"CVE-2020-5311/pkg:pypi/pillow@5.4.1","cwes":[120],"description":"Buffer Copy without Checking Size of Input in Pillow","detail":"# Buffer Copy without Checking Size of Input in Pillow `libImaging/SgiRleDecode.c` in Pillow before 6.2.2 has an SGI buffer overflow. ## Related CVE(s) BIT-pillow-2020-5311, CVE-2020-5311, PYSEC-2020-82","id":"CVE-2020-5311","properties":[{"name":"depscan:prioritized","value":"false"}],"published":"2022-05-24T17:05:33","ratings":[{"method":"CVSSv31","score":9.8,"severity":"critical","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"recommendation":"Update to version 6.2.2 to resolve CVE-2020-5311 or update to version 10.3.0 to resolve additional vulnerabilities for this package.","references":[{"id":"GHSA-r7rm-8j6h-r933","source":{"name":"GitHub Advisory","url":"https://github.com/advisories/GHSA-r7rm-8j6h-r933"}},{"id":"CVE-2020-5311","source":{"name":"NVD","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-5311"}},{"id":"dsa-4631","source":{"name":"Debian Advisory","url":"https://www.debian.org/security/2020/dsa-4631"}},{"id":"fedoraproject-msg-2MMU3WT2X64GS5WHDPKKC2WZA7UIIQ3A","source":{"name":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2MMU3WT2X64GS5WHDPKKC2WZA7UIIQ3A"}},{"id":"RHSA-2020:0566","source":{"name":"Red Hat Advisory","url":"https://access.redhat.com/errata/RHSA-2020:0566"}},{"id":"fedoraproject-msg-3DUMIBUYGJRAVJCTFUWBRLVQKOUTVX5P","source":{"name":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3DUMIBUYGJRAVJCTFUWBRLVQKOUTVX5P"}},{"id":"RHSA-2020:0580","source":{"name":"Red Hat Advisory","url":"https://access.redhat.com/errata/RHSA-2020:0580"}},{"id":"PYSEC-2020-82","source":{"name":"GitHub Advisory","url":"https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2020-82.yaml"}}],"source":{"name":"NVD","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-5311"},"updated":"2024-10-08T13:23:04"},{"advisories":[{"title":"CVE-2021-25288","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-25288"},{"title":"GitHub Advisory PYSEC-2021-138","url":"https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2021-138.yaml"},{"title":"Gentoo Advisory glsa-202107-33","url":"https://security.gentoo.org/glsa/202107-33"},{"title":"GitHub Advisory GHSA-rwv7-3v45-hg29","url":"https://github.com/advisories/GHSA-rwv7-3v45-hg29"}],"affects":[{"ref":"pkg:pypi/pillow@5.4.1","versions":[{"range":"vers:pypi/>=2.4.0|<8.2.0","status":"affected"},{"status":"unaffected","version":"8.2.0"}]}],"analysis":{},"bom-ref":"CVE-2021-25288/pkg:pypi/pillow@5.4.1","cwes":[125],"description":"Pillow Out-of-bounds Read vulnerability","detail":"# Pillow Out-of-bounds Read vulnerability An issue was discovered in Pillow before 8.2.0. There is an out-of-bounds read in J2kDecode, in j2ku_gray_i. This dates to Pillow 2.4.0. ## Related CVE(s) BIT-pillow-2021-25288, CVE-2021-25288, PYSEC-2021-138","id":"CVE-2021-25288","properties":[{"name":"depscan:prioritized","value":"false"}],"published":"2021-06-08T18:49:28","ratings":[{"method":"CVSSv31","score":9.1,"severity":"critical","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H"}],"recommendation":"Update to version 8.2.0 to resolve CVE-2021-25288 or update to version 10.3.0 to resolve additional vulnerabilities for this package.","references":[{"id":"CVE-2021-25288","source":{"name":"NVD","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-25288"}},{"id":"PYSEC-2021-138","source":{"name":"GitHub Advisory","url":"https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2021-138.yaml"}},{"id":"glsa-202107-33","source":{"name":"Gentoo Advisory","url":"https://security.gentoo.org/glsa/202107-33"}},{"id":"GHSA-rwv7-3v45-hg29","source":{"name":"GitHub Advisory","url":"https://github.com/advisories/GHSA-rwv7-3v45-hg29"}},{"id":"fedoraproject-msg-MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL","source":{"name":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL"}}],"source":{"name":"NVD","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-25288"},"updated":"2024-10-09T21:25:47"},{"advisories":[{"title":"GitHub Advisory PYSEC-2020-81","url":"https://github.com/pypa/advisory-db/blob/7872b0a91b4d980f749e6d75a81f8cc1af32829f/vulns/pillow/PYSEC-2020-81.yaml"},{"title":"CVE-2020-5310","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-5310"},{"title":"GitHub Advisory PYSEC-2020-81","url":"https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2020-81.yaml"},{"title":"GitHub Advisory GHSA-vcqg-3p29-xw73","url":"https://github.com/advisories/GHSA-vcqg-3p29-xw73"}],"affects":[{"ref":"pkg:pypi/pillow@5.4.1","versions":[{"range":"vers:pypi/>=1.0|<=6.2.1","status":"affected"},{"status":"unaffected","version":"6.2.2"}]}],"analysis":{},"bom-ref":"CVE-2020-5310/pkg:pypi/pillow@5.4.1","cwes":[190],"description":"Integer overflow in Pillow","detail":"# Integer overflow in Pillow `libImaging/TiffDecode.c` in Pillow before 6.2.2 has a TIFF decoding integer overflow, related to realloc. ## Related CVE(s) BIT-pillow-2020-5310, CVE-2020-5310, PYSEC-2020-81","id":"CVE-2020-5310","properties":[{"name":"depscan:prioritized","value":"false"}],"published":"2021-11-03T18:04:41","ratings":[{"method":"CVSSv31","score":8.8,"severity":"high","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}],"recommendation":"Update to version 6.2.2 to resolve CVE-2020-5310 or update to version 10.3.0 to resolve additional vulnerabilities for this package.","references":[{"id":"PYSEC-2020-81","source":{"name":"GitHub Advisory","url":"https://github.com/pypa/advisory-db/blob/7872b0a91b4d980f749e6d75a81f8cc1af32829f/vulns/pillow/PYSEC-2020-81.yaml"}},{"id":"fedoraproject-msg-2MMU3WT2X64GS5WHDPKKC2WZA7UIIQ3A","source":{"name":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2MMU3WT2X64GS5WHDPKKC2WZA7UIIQ3A"}},{"id":"fedoraproject-msg-3DUMIBUYGJRAVJCTFUWBRLVQKOUTVX5P","source":{"name":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3DUMIBUYGJRAVJCTFUWBRLVQKOUTVX5P"}},{"id":"CVE-2020-5310","source":{"name":"NVD","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-5310"}},{"id":"PYSEC-2020-81","source":{"name":"GitHub Advisory","url":"https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2020-81.yaml"}},{"id":"GHSA-vcqg-3p29-xw73","source":{"name":"GitHub Advisory","url":"https://github.com/advisories/GHSA-vcqg-3p29-xw73"}}],"source":{"name":"NVD","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-5310"},"updated":"2024-10-08T13:22:46"},{"advisories":[{"title":"GitHub Advisory PYSEC-2020-79","url":"https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2020-79.yaml"},{"title":"Snyk Advisory SNYK-PYTHON-PILLOW-574575","url":"https://snyk.io/vuln/SNYK-PYTHON-PILLOW-574575"},{"title":"CVE-2020-10994","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-10994"},{"title":"GitHub Advisory GHSA-vj42-xq3r-hr3r","url":"https://github.com/advisories/GHSA-vj42-xq3r-hr3r"}],"affects":[{"ref":"pkg:pypi/pillow@5.4.1","versions":[{"range":"vers:pypi/>=1.0|<=7.0.0","status":"affected"},{"status":"unaffected","version":"7.1.0"}]}],"analysis":{},"bom-ref":"CVE-2020-10994/pkg:pypi/pillow@5.4.1","cwes":[125],"description":"Out-of-bounds reads in Pillow","detail":"# Out-of-bounds reads in Pillow In `libImaging/Jpeg2KDecode.c` in Pillow before 7.1.0, there are multiple out-of-bounds reads via a crafted JP2 file. ## Related CVE(s) BIT-pillow-2020-10994, CVE-2020-10994, PYSEC-2020-79","id":"CVE-2020-10994","properties":[{"name":"depscan:prioritized","value":"false"}],"published":"2020-07-27T21:52:39","ratings":[{"method":"CVSSv31","score":5.5,"severity":"medium","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"}],"recommendation":"Update to version 7.1.0 to resolve CVE-2020-10994 or update to version 10.3.0 to resolve additional vulnerabilities for this package.","references":[{"id":"fedoraproject-msg-HOKHNWV2VS5GESY7IBD237E7C6T3I427","source":{"name":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HOKHNWV2VS5GESY7IBD237E7C6T3I427"}},{"id":"PYSEC-2020-79","source":{"name":"GitHub Advisory","url":"https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2020-79.yaml"}},{"id":"SNYK-PYTHON-PILLOW-574575","source":{"name":"Snyk Advisory","url":"https://snyk.io/vuln/SNYK-PYTHON-PILLOW-574575"}},{"id":"fedoraproject-msg-BEBCPE4F2VHTIT6EZA2YZQZLPVDEBJGD","source":{"name":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BEBCPE4F2VHTIT6EZA2YZQZLPVDEBJGD"}},{"id":"CVE-2020-10994","source":{"name":"NVD","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-10994"}},{"id":"GHSA-vj42-xq3r-hr3r","source":{"name":"GitHub Advisory","url":"https://github.com/advisories/GHSA-vj42-xq3r-hr3r"}}],"source":{"name":"NVD","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-10994"},"updated":"2024-10-09T20:01:45"},{"advisories":[{"title":"CVE-2020-35654","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-35654"},{"title":"GitHub Advisory GHSA-vqcj-wrf2-7v73","url":"https://github.com/advisories/GHSA-vqcj-wrf2-7v73"},{"title":"GitHub Advisory PYSEC-2021-70","url":"https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2021-70.yaml"}],"affects":[{"ref":"pkg:pypi/pillow@5.4.1","versions":[{"range":"vers:pypi/>=1.0|<=8.0.1","status":"affected"},{"status":"unaffected","version":"8.1.0"}]}],"analysis":{},"bom-ref":"CVE-2020-35654/pkg:pypi/pillow@5.4.1","cwes":[787],"description":"Pillow Out-of-bounds Write","detail":"# Pillow Out-of-bounds Write In Pillow before 8.1.0, TiffDecode has a heap-based buffer overflow when decoding crafted YCbCr files because of certain interpretation conflicts with LibTIFF in RGBA mode. ## Related CVE(s) BIT-pillow-2020-35654, CVE-2020-35654, PYSEC-2021-70","id":"CVE-2020-35654","properties":[{"name":"depscan:prioritized","value":"false"}],"published":"2021-03-18T19:55:27","ratings":[{"method":"CVSSv31","score":8.8,"severity":"high","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}],"recommendation":"Update to version 8.1.0 to resolve CVE-2020-35654 or update to version 10.3.0 to resolve additional vulnerabilities for this package.","references":[{"id":"fedoraproject-msg-BF553AMNNNBW7SH4IM4MNE4M6GNZQ7YD","source":{"name":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BF553AMNNNBW7SH4IM4MNE4M6GNZQ7YD"}},{"id":"fedoraproject-msg-6BYVI5G44MRIPERKYDQEL3S3YQCZTVHE","source":{"name":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6BYVI5G44MRIPERKYDQEL3S3YQCZTVHE"}},{"id":"fedoraproject-msg-ZTSY25UJU7NJUFHH3HWT575LT4TDFWBZ","source":{"name":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZTSY25UJU7NJUFHH3HWT575LT4TDFWBZ"}},{"id":"CVE-2020-35654","source":{"name":"NVD","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-35654"}},{"id":"GHSA-vqcj-wrf2-7v73","source":{"name":"GitHub Advisory","url":"https://github.com/advisories/GHSA-vqcj-wrf2-7v73"}},{"id":"fedoraproject-msg-TQQY6472RX4J2SUJENWDZAWKTJJGP2ML","source":{"name":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TQQY6472RX4J2SUJENWDZAWKTJJGP2ML"}},{"id":"PYSEC-2021-70","source":{"name":"GitHub Advisory","url":"https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2021-70.yaml"}}],"source":{"name":"NVD","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-35654"},"updated":"2024-10-14T18:39:21"},{"advisories":[{"title":"GitHub Advisory PYSEC-2022-9","url":"https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2022-9.yaml"},{"title":"Debian Advisory dsa-5053","url":"https://www.debian.org/security/2022/dsa-5053"},{"title":"Gentoo Advisory glsa-202211-10","url":"https://security.gentoo.org/glsa/202211-10"},{"title":"GitHub Advisory GHSA-xrcv-f9gm-v42c","url":"https://github.com/advisories/GHSA-xrcv-f9gm-v42c"},{"title":"CVE-2022-22816","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-22816"}],"affects":[{"ref":"pkg:pypi/pillow@5.4.1","versions":[{"range":"vers:pypi/>=1.0|<=8.4.0","status":"affected"},{"status":"unaffected","version":"9.0.0"}]}],"analysis":{},"bom-ref":"CVE-2022-22816/pkg:pypi/pillow@5.4.1","cwes":[125],"description":"Out-of-bounds Read in Pillow","detail":"# Out-of-bounds Read in Pillow path_getbbox in path.c in Pillow before 9.0.0 has a buffer over-read during initialization of ImagePath.Path. ## Related CVE(s) BIT-pillow-2022-22816, CVE-2022-22816, PYSEC-2022-9","id":"CVE-2022-22816","properties":[{"name":"depscan:prioritized","value":"false"}],"published":"2022-01-12T20:07:41","ratings":[{"method":"CVSSv31","score":6.5,"severity":"medium","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L"}],"recommendation":"Update to version 9.0.0 to resolve CVE-2022-22816 or update to version 10.3.0 to resolve additional vulnerabilities for this package.","references":[{"id":"PYSEC-2022-9","source":{"name":"GitHub Advisory","url":"https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2022-9.yaml"}},{"id":"debian-msg-msg00018","source":{"name":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2022/01/msg00018.html"}},{"id":"dsa-5053","source":{"name":"Debian Advisory","url":"https://www.debian.org/security/2022/dsa-5053"}},{"id":"glsa-202211-10","source":{"name":"Gentoo Advisory","url":"https://security.gentoo.org/glsa/202211-10"}},{"id":"GHSA-xrcv-f9gm-v42c","source":{"name":"GitHub Advisory","url":"https://github.com/advisories/GHSA-xrcv-f9gm-v42c"}},{"id":"CVE-2022-22816","source":{"name":"NVD","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-22816"}}],"source":{"name":"NVD","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-22816"},"updated":"2024-10-14T18:38:42"},{"advisories":[],"affects":[{"ref":"pkg:pypi/pillow@5.4.1","versions":[{"range":"vers:pypi/>=1.0|<=7.0.0","status":"affected"},{"status":"unaffected","version":"7.1.0"}]}],"analysis":{},"bom-ref":"PYSEC-2020-77/pkg:pypi/pillow@5.4.1","cwes":[],"description":"Summary","detail":"# Summary In libImaging/PcxDecode.c in Pillow before 7.1.0, an out-of-bounds read can occur when reading PCX files where state->shuffle is instructed to read beyond state->buffer.","id":"PYSEC-2020-77","properties":[{"name":"depscan:prioritized","value":"false"}],"published":"2020-06-25T19:15:00","ratings":[{"method":"CVSSv31","score":2.0,"severity":"low","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N"}],"recommendation":"Update to version 7.1.0 to resolve PYSEC-2020-77 or update to version 10.3.0 to resolve additional vulnerabilities for this package.","references":[{"id":"fedoraproject-msg-BEBCPE4F2VHTIT6EZA2YZQZLPVDEBJGD","source":{"name":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BEBCPE4F2VHTIT6EZA2YZQZLPVDEBJGD/"}},{"id":"fedoraproject-msg-HOKHNWV2VS5GESY7IBD237E7C6T3I427","source":{"name":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HOKHNWV2VS5GESY7IBD237E7C6T3I427/"}}],"source":{"name":"Google"},"updated":"2020-07-27T19:15:00"},{"advisories":[],"affects":[{"ref":"pkg:pypi/pillow@5.4.1","versions":[{"range":"vers:pypi/>=1.0|<=7.0.0","status":"affected"},{"status":"unaffected","version":"7.1.0"}]}],"analysis":{},"bom-ref":"PYSEC-2020-78/pkg:pypi/pillow@5.4.1","cwes":[],"description":"Summary","detail":"# Summary In Pillow before 7.1.0, there are two Buffer Overflows in libImaging/TiffDecode.c.","id":"PYSEC-2020-78","properties":[{"name":"depscan:prioritized","value":"false"}],"published":"2020-06-25T19:15:00","ratings":[{"method":"CVSSv31","score":2.0,"severity":"low","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N"}],"recommendation":"Update to version 7.1.0 to resolve PYSEC-2020-78 or update to version 10.3.0 to resolve additional vulnerabilities for this package.","references":[{"id":"fedoraproject-msg-BEBCPE4F2VHTIT6EZA2YZQZLPVDEBJGD","source":{"name":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BEBCPE4F2VHTIT6EZA2YZQZLPVDEBJGD/"}},{"id":"fedoraproject-msg-HOKHNWV2VS5GESY7IBD237E7C6T3I427","source":{"name":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HOKHNWV2VS5GESY7IBD237E7C6T3I427/"}}],"source":{"name":"Google"},"updated":"2020-07-27T19:15:00"},{"advisories":[{"title":"CVE-2023-5129","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-5129"},{"title":"CVE-2023-4863","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-4863"}],"affects":[{"ref":"pkg:pypi/pillow@5.4.1","versions":[{"range":"vers:pypi/>=1.0|<=9.5.0","status":"affected"}]}],"analysis":{},"bom-ref":"PYSEC-2023-175/pkg:pypi/pillow@5.4.1","cwes":[],"description":"Summary","detail":"# Summary Pillow versions before v10.0.1 bundled libwebp binaries in wheels that are vulnerable to CVE-2023-5129 (previously CVE-2023-4863). Pillow v10.0.1 upgrades the bundled libwebp binary to v1.3.2.","id":"PYSEC-2023-175","properties":[{"name":"depscan:prioritized","value":"false"}],"published":"2023-09-20T05:46:53","ratings":[{"method":"CVSSv31","score":2.0,"severity":"low","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N"}],"recommendation":"No recommendation found for PYSEC-2023-175. Updating to version 10.3.0 is recommended nonetheless in order to address additional vulnerabilities identified for this package.","references":[{"id":"CVE-2023-5129","source":{"name":"NVD","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-5129"}},{"id":"CVE-2023-4863","source":{"name":"NVD","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-4863"}}],"source":{"name":"Google"},"updated":"2023-09-25T17:25:13"},{"advisories":[{"title":"CVE-2024-1135","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-1135"},{"title":"Huntr Advisory 22158e34-cfd5-41ad-97e0-a780773d96c1","url":"https://huntr.com/bounties/22158e34-cfd5-41ad-97e0-a780773d96c1"}],"affects":[{"ref":"pkg:pypi/gunicorn@19.9.0","versions":[{"range":"vers:pypi/>=0.1|<=21.2.0","status":"affected"},{"status":"unaffected","version":"22.0.0"}]}],"analysis":{},"bom-ref":"CVE-2024-1135/pkg:pypi/gunicorn@19.9.0","cwes":[444],"description":"Request smuggling leading to endpoint restriction bypass in Gunicorn","detail":"# Request smuggling leading to endpoint restriction bypass in Gunicorn Gunicorn fails to properly validate Transfer-Encoding headers, leading to HTTP Request Smuggling (HRS) vulnerabilities. By crafting requests with conflicting Transfer-Encoding headers, attackers can bypass security restrictions and access restricted endpoints. This issue is due to Gunicorn's handling of Transfer-Encoding headers, where it incorrectly processes requests with multiple, conflicting Transfer-Encoding headers, treating them as chunked regardless of the final encoding specified. This vulnerability has been shown to allow access to endpoints restricted by gunicorn. This issue has been addressed in version 22.0.0. To be affected users must have a network path which does not filter out invalid requests. These users are advised to block access to restricted endpoints via a firewall or other mechanism if they are unable to update.","id":"CVE-2024-1135","properties":[{"name":"depscan:prioritized","value":"false"}],"published":"2024-04-16T00:30:32","ratings":[{"method":"CVSSv31","score":8.2,"severity":"high","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N"}],"recommendation":"Update to version 22.0.0.","references":[{"id":"CVE-2024-1135","source":{"name":"NVD","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-1135"}},{"id":"debian-msg-msg00027","source":{"name":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2024/06/msg00027.html"}},{"id":"22158e34-cfd5-41ad-97e0-a780773d96c1","source":{"name":"Huntr Advisory","url":"https://huntr.com/bounties/22158e34-cfd5-41ad-97e0-a780773d96c1"}}],"source":{"name":"NVD","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-1135"},"updated":"2024-07-01T00:46:19"},{"advisories":[],"affects":[{"ref":"pkg:pypi/selenium@3.141.0","versions":[{"range":"vers:pypi/>=0.9.2|<=4.9.1","status":"affected"},{"status":"unaffected","version":"4.14.0"}]}],"analysis":{},"bom-ref":"CVE-2023-5590/pkg:pypi/selenium@3.141.0","cwes":[],"description":"Summary","detail":"# Summary NULL Pointer Dereference in GitHub repository seleniumhq/selenium prior to 4.14.0.","id":"CVE-2023-5590","properties":[{"name":"depscan:prioritized","value":"true"},{"name":"depscan:insights","value":"Has PoC"}],"published":"2023-10-15T23:15:00","ratings":[{"method":"CVSSv31","score":7.5,"severity":"high","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"recommendation":"Update to version 4.14.0.","references":[],"source":{"name":"Mitre"},"updated":"2023-11-08T04:13:47"}]}