django-goat.csaf_v1.json

{"document":{"aggregate_severity":{"text":"Critical"},"category":"csaf_vex","csaf_version":"2.0","lang":"en","notes":[{"category":"legal_disclaimer","text":"Depscan reachable code only covers the project source code, not the code of dependencies. A dependency may execute vulnerable code when called even if it is not in the project's source code. Regard the Depscan-set flag of 'code_not_in_execute_path' with this in mind."}],"publisher":{"category":"vendor","contact_details":"vendor@mcvendorson.com","name":"Vendor McVendorson","namespace":"https://appthreat.com"},"title":"Your Title","tracking":{"current_release_date":"2024-11-08T05:57:20","id":"2024-11-08T05:57:20_v1","initial_release_date":"2024-11-08T05:57:20","revision_history":[],"status":"draft","version":"1"}},"product_tree":{"full_product_names":[{"name":"django-goat","product_id":"django-goat:latest","product_identification_helper":{"purl":"pkg:pypi/django-goat@latest"}}]},"vulnerabilities":[{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2019-11358"]}],"cve":"CVE-2019-11358","cwe":{"id":"1321","name":"Improperly Controlled Modification of Object Prototype Attributes"},"discovery_date":"2019-04-26T16:29:11","ids":[{"system_name":"Backdropcms Advisory","text":"BACKDROP-SA-CORE-2019-009"},{"system_name":"Oracle Advisory","text":"CPUAPR2020"},{"system_name":"Oracle Advisory","text":"CPUAPR2021"},{"system_name":"Oracle Advisory","text":"CPUJAN2020"},{"system_name":"Oracle Advisory","text":"CPUJAN2021"},{"system_name":"Oracle Advisory","text":"CPUJAN2022"},{"system_name":"Oracle Advisory","text":"CPUJUL2019-5072835"},{"system_name":"Oracle Advisory","text":"CPUJUL2020"},{"system_name":"Oracle Advisory","text":"CPUJUL2021"},{"system_name":"Oracle Advisory","text":"CPUOCT2019-5072832"},{"system_name":"Oracle Advisory","text":"CPUOCT2020"},{"system_name":"Oracle Advisory","text":"CPUOCT2021"},{"system_name":"CVE Record","text":"CVE-2019-11358"},{"system_name":"Debian Advisory","text":"DSA-4434"},{"system_name":"Debian Advisory","text":"DSA-4460"},{"system_name":"Jquery Advisory","text":"JQUERY-3-4-0-RELEASED"},{"system_name":"NetApp Advisory","text":"NTAP-20190919-0001"},{"system_name":"Red Hat Advisory","text":"RHBA-2019:1570"},{"system_name":"Red Hat Advisory","text":"RHSA-2019:1456"},{"system_name":"Red Hat Advisory","text":"RHSA-2019:2587"},{"system_name":"Red Hat Advisory","text":"RHSA-2019:3023"},{"system_name":"Red Hat Advisory","text":"RHSA-2019:3024"},{"system_name":"Snyk Advisory","text":"SNYK-DOTNET-JQUERY-450226"},{"system_name":"Snyk Advisory","text":"SNYK-JS-JQUERY-174006"},{"system_name":"Synology Advisory","text":"SYNOLOGY_SA_19_19"},{"system_name":"Tenable Advisory","text":"TNS-2019-08"},{"system_name":"Tenable Advisory","text":"TNS-2020-02"}],"notes":[{"audience":"developers","category":"other","text":"Improper Neutralization of Input During Web Page Generation","title":"Additional CWE: 79"},{"category":"description","details":"Vulnerability Description","text":"XSS in jQuery as used in Drupal, Backdrop CMS, and other products"},{"category":"details","details":"Vulnerability Details","text":"# XSS in jQuery as used in Drupal, Backdrop CMS, and other products jQuery from 1.1.4 until 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles `jQuery.extend(true, {}, ...)` because of `Object.prototype` pollution. If an unsanitized source object contained an enumerable `__proto__` property, it could extend the native `Object.prototype`.  ## Related CVE(s) CVE-2019-11358, SNYK-JS-JQUERY-174006"},{"category":"other","text":"Update to version 2.1.9 to resolve CVE-2019-11358 or update to version 3.2.15 to resolve additional vulnerabilities for this package.","title":"Recommended Action"}],"product_status":{"known_affected":["django@vers:pypi/>=2.0a1|<2.1.9"],"known_not_affected":["django@2.1.9"]},"references":[{"summary":"Open Suse Mailing List","url":"http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00006.html"},{"summary":"Open Suse Mailing List","url":"http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00025.html"},{"summary":"Packetstormsecurity Exploit","url":"http://packetstormsecurity.com/files/152787/dotCMS-5.1.1-Vulnerable-Dependencies.html"},{"summary":"Packetstormsecurity Exploit","url":"http://packetstormsecurity.com/files/153237/RetireJS-CORS-Issue-Script-Execution.html"},{"summary":"Packetstormsecurity Exploit","url":"http://packetstormsecurity.com/files/156743/OctoberCMS-Insecure-Dependencies.html"},{"summary":"Seclists Exploit","url":"http://seclists.org/fulldisclosure/2019/May/10"},{"summary":"Seclists Exploit","url":"http://seclists.org/fulldisclosure/2019/May/11"},{"summary":"Seclists Exploit","url":"http://seclists.org/fulldisclosure/2019/May/13"},{"summary":"Openwall Mailing List","url":"http://www.openwall.com/lists/oss-security/2019/06/03/2"},{"summary":"Security Focus Mailing List","url":"http://www.securityfocus.com/bid/108023"},{"summary":"Red Hat Advisory","url":"https://access.redhat.com/errata/RHBA-2019:1570"},{"summary":"Red Hat Advisory","url":"https://access.redhat.com/errata/RHSA-2019:1456"},{"summary":"Red Hat Advisory","url":"https://access.redhat.com/errata/RHSA-2019:2587"},{"summary":"Red Hat Advisory","url":"https://access.redhat.com/errata/RHSA-2019:3023"},{"summary":"Red Hat Advisory","url":"https://access.redhat.com/errata/RHSA-2019:3024"},{"summary":"Backdropcms Advisory","url":"https://backdropcms.org/security/backdrop-sa-core-2019-009"},{"summary":"Jquery Advisory","url":"https://blog.jquery.com/2019/04/10/jquery-3-4-0-released"},{"summary":"CVE Record","url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/jquery-rails/CVE-2019-11358.yml"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/08720ef215ee7ab3386c05a1a90a7d1c852bf0706f176a7816bf65fc%40%3Ccommits.airflow.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/08720ef215ee7ab3386c05a1a90a7d1c852bf0706f176a7816bf65fc@%3Ccommits.airflow.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/5928aa293e39d248266472210c50f176cac1535220f2486e6a7fa844%40%3Ccommits.airflow.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/5928aa293e39d248266472210c50f176cac1535220f2486e6a7fa844@%3Ccommits.airflow.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/6097cdbd6f0a337bedd9bb5cc441b2d525ff002a96531de367e4259f%40%3Ccommits.airflow.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/6097cdbd6f0a337bedd9bb5cc441b2d525ff002a96531de367e4259f@%3Ccommits.airflow.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/88fb0362fd40e5b605ea8149f63241537b8b6fb5bfa315391fc5cbb7%40%3Ccommits.airflow.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/88fb0362fd40e5b605ea8149f63241537b8b6fb5bfa315391fc5cbb7@%3Ccommits.airflow.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/b736d0784cf02f5a30fbb4c5902762a15ad6d47e17e2c5a17b7d6205%40%3Ccommits.airflow.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/b736d0784cf02f5a30fbb4c5902762a15ad6d47e17e2c5a17b7d6205@%3Ccommits.airflow.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/ba79cf1658741e9f146e4c59b50aee56656ea95d841d358d006c18b6%40%3Ccommits.roller.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/ba79cf1658741e9f146e4c59b50aee56656ea95d841d358d006c18b6@%3Ccommits.roller.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3%40%3Ccommits.nifi.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r2041a75d3fc09dec55adfd95d598b38d22715303f65c997c054844c9%40%3Cissues.flink.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r2041a75d3fc09dec55adfd95d598b38d22715303f65c997c054844c9@%3Cissues.flink.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r2baacab6e0acb5a2092eb46ae04fd6c3e8277b4fd79b1ffb7f3254fa%40%3Cissues.flink.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r2baacab6e0acb5a2092eb46ae04fd6c3e8277b4fd79b1ffb7f3254fa@%3Cissues.flink.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r38f0d1aa3c923c22977fe7376508f030f22e22c1379fbb155bf29766%40%3Cdev.syncope.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r38f0d1aa3c923c22977fe7376508f030f22e22c1379fbb155bf29766@%3Cdev.syncope.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r41b5bfe009c845f67d4f68948cc9419ac2d62e287804aafd72892b08%40%3Cissues.flink.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r41b5bfe009c845f67d4f68948cc9419ac2d62e287804aafd72892b08@%3Cissues.flink.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r7aac081cbddb6baa24b75e74abf0929bf309b176755a53e3ed810355%40%3Cdev.flink.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r7aac081cbddb6baa24b75e74abf0929bf309b176755a53e3ed810355@%3Cdev.flink.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r7d64895cc4dff84d0becfc572b20c0e4bf9bfa7b10c6f5f73e783734%40%3Cdev.storm.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r7d64895cc4dff84d0becfc572b20c0e4bf9bfa7b10c6f5f73e783734@%3Cdev.storm.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r7e8ebccb7c022e41295f6fdb7b971209b83702339f872ddd8cf8bf73%40%3Cissues.flink.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/r7e8ebccb7c022e41295f6fdb7b971209b83702339f872ddd8cf8bf73@%3Cissues.flink.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rac25da84ecdcd36f6de5ad0d255f4e967209bbbebddb285e231da37d%40%3Cissues.flink.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rac25da84ecdcd36f6de5ad0d255f4e967209bbbebddb285e231da37d@%3Cissues.flink.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b%40%3Ccommits.nifi.apache.org%3E"},{"summary":"Apache Mailing List","url":"https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3E"},{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2019/05/msg00006.html"},{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2019/05/msg00029.html"},{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2020/02/msg00024.html"},{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4UOAZIFCSZ3ENEFOR5IXX6NFAD3HV7FA"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5IABSKTYZ5JUGL735UKGXL5YPRYOPUYI"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KYH3OAGR2RTCHRA5NOKX2TES7SNQMWGO"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QV3PKZC3PQCO3273HAT76PAQZFBEO4KP"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RLXRX23725JL366CNZGJZ7AQQB7LHQ6F"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WZW27UCJ5CYFL4KFFFMYMIBNMIU2ALG5"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4UOAZIFCSZ3ENEFOR5IXX6NFAD3HV7FA"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5IABSKTYZ5JUGL735UKGXL5YPRYOPUYI"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KYH3OAGR2RTCHRA5NOKX2TES7SNQMWGO"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QV3PKZC3PQCO3273HAT76PAQZFBEO4KP"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RLXRX23725JL366CNZGJZ7AQQB7LHQ6F"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WZW27UCJ5CYFL4KFFFMYMIBNMIU2ALG5"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2019-11358"},{"summary":"Seclists Exploit","url":"https://seclists.org/bugtraq/2019/Apr/32"},{"summary":"Seclists Exploit","url":"https://seclists.org/bugtraq/2019/Jun/12"},{"summary":"Seclists Exploit","url":"https://seclists.org/bugtraq/2019/May/18"},{"summary":"NetApp Advisory","url":"https://security.netapp.com/advisory/ntap-20190919-0001"},{"summary":"Snyk Advisory","url":"https://security.snyk.io/vuln/SNYK-DOTNET-JQUERY-450226"},{"summary":"Snyk Advisory","url":"https://snyk.io/vuln/SNYK-JS-JQUERY-174006"},{"summary":"Archive Mailing List","url":"https://web.archive.org/web/20190824065237/http://www.securityfocus.com/bid/108023"},{"summary":"Debian Advisory","url":"https://www.debian.org/security/2019/dsa-4434"},{"summary":"Debian Advisory","url":"https://www.debian.org/security/2019/dsa-4460"},{"summary":"Oracle Advisory","url":"https://www.oracle.com//security-alerts/cpujul2021.html"},{"summary":"Oracle Advisory","url":"https://www.oracle.com/security-alerts/cpuApr2021.html"},{"summary":"Oracle Advisory","url":"https://www.oracle.com/security-alerts/cpuapr2020.html"},{"summary":"Oracle Advisory","url":"https://www.oracle.com/security-alerts/cpujan2020.html"},{"summary":"Oracle Advisory","url":"https://www.oracle.com/security-alerts/cpujan2021.html"},{"summary":"Oracle Advisory","url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"summary":"Oracle Advisory","url":"https://www.oracle.com/security-alerts/cpujul2020.html"},{"summary":"Oracle Advisory","url":"https://www.oracle.com/security-alerts/cpuoct2020.html"},{"summary":"Oracle Advisory","url":"https://www.oracle.com/security-alerts/cpuoct2021.html"},{"summary":"Oracle Advisory","url":"https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"},{"summary":"Oracle Advisory","url":"https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"},{"summary":"Synology Advisory","url":"https://www.synology.com/security/advisory/Synology_SA_19_19"},{"summary":"Tenable Advisory","url":"https://www.tenable.com/security/tns-2019-08"},{"summary":"Tenable Advisory","url":"https://www.tenable.com/security/tns-2020-02"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":6.1,"baseSeverity":"MEDIUM","confidentialityImpact":"LOW","environmentalScore":6.1,"environmentalSeverity":"MEDIUM","integrityImpact":"LOW","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"NONE","modifiedConfidentialityImpact":"LOW","modifiedIntegrityImpact":"LOW","modifiedPrivilegesRequired":"NONE","modifiedScope":"CHANGED","modifiedUserInteraction":"REQUIRED","privilegesRequired":"NONE","scope":"CHANGED","temporalScore":6.1,"temporalSeverity":"MEDIUM","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","version":"3.1"},"products":["django@vers:pypi/>=2.0a1|<2.1.9"]}],"title":"CVE-2019-11358/pkg:pypi/django@2.1.7"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2021-33203"]}],"cve":"CVE-2021-33203","cwe":{"id":"22","name":"Improper Limitation of a Pathname to a Restricted Directory"},"discovery_date":"2021-06-10T17:21:00","ids":[{"system_name":"CVE Record","text":"CVE-2021-33203"},{"system_name":"GitHub Advisory","text":"GHSA-68W8-QJQ3-2GFM"},{"system_name":"NetApp Advisory","text":"NTAP-20210727-0004"},{"system_name":"GitHub Advisory","text":"PYSEC-2021-98"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Path Traversal in Django"},{"category":"details","details":"Vulnerability Details","text":"# Path Traversal in Django Django before 2.2.24, 3.x before 3.1.12, and 3.2.x before 3.2.4 has a potential directory traversal via django.contrib.admindocs. Staff members could use the TemplateDetailView view to check the existence of arbitrary files. Additionally, if (and only if) the default admindocs templates have been customized by application developers to also show file contents, then not only the existence but also the file contents would have been exposed. In other words, there is directory traversal outside of the template root directories.  ## Related CVE(s) BIT-django-2021-33203, CVE-2021-33203, PYSEC-2021-98"},{"category":"other","text":"Update to version 2.2.24 to resolve CVE-2021-33203 or update to version 3.2.15 to resolve additional vulnerabilities for this package.","title":"Recommended Action"}],"product_status":{"known_affected":["django@vers:pypi/>=1.0.1|<=2.2rc1"],"known_not_affected":["django@2.2.24"]},"references":[{"summary":"GitHub Advisory","url":"https://github.com/advisories/GHSA-68w8-qjq3-2gfm"},{"summary":"GitHub Advisory","url":"https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2021-98.yaml"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-33203"},{"summary":"NetApp Advisory","url":"https://security.netapp.com/advisory/ntap-20210727-0004"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":4.9,"baseSeverity":"MEDIUM","confidentialityImpact":"HIGH","environmentalScore":4.9,"environmentalSeverity":"MEDIUM","integrityImpact":"NONE","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"NONE","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"HIGH","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"HIGH","scope":"UNCHANGED","temporalScore":4.9,"temporalSeverity":"MEDIUM","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N","version":"3.1"},"products":["django@vers:pypi/>=1.0.1|<=2.2rc1"]}],"title":"CVE-2021-33203/pkg:pypi/django@2.1.7"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2019-12781"]}],"cve":"CVE-2019-12781","cwe":{"id":"319","name":"Cleartext Transmission of Sensitive Information"},"discovery_date":"2019-07-03T20:37:25","ids":[{"system_name":"CVE Record","text":"CVE-2019-12781"},{"system_name":"Debian Advisory","text":"DSA-4476"},{"system_name":"GitHub Advisory","text":"GHSA-6C7V-2F49-8H26"},{"system_name":"NetApp Advisory","text":"NTAP-20190705-0002"},{"system_name":"GitHub Advisory","text":"PYSEC-2019-10"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Django Incorrect HTTP detection with reverse-proxy connecting via HTTPS"},{"category":"details","details":"Vulnerability Details","text":"# Django Incorrect HTTP detection with reverse-proxy connecting via HTTPS An issue was discovered in Django 1.11 before 1.11.22, 2.1 before 2.1.10, and 2.2 before 2.2.3. An HTTP request is not redirected to HTTPS when the SECURE_PROXY_SSL_HEADER and SECURE_SSL_REDIRECT settings are used, and the proxy connects to Django via HTTPS. In other words, django.http.HttpRequest.scheme has incorrect behavior when a client uses HTTP.  ## Related CVE(s) CVE-2019-12781, PYSEC-2019-10"},{"category":"other","text":"Update to version 2.1.10 to resolve CVE-2019-12781 or update to version 3.2.15 to resolve additional vulnerabilities for this package.","title":"Recommended Action"}],"product_status":{"known_affected":["django@vers:pypi/>=2.1|<2.1.10"],"known_not_affected":["django@2.1.10"]},"references":[{"summary":"Open Suse Mailing List","url":"http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00006.html"},{"summary":"Open Suse Mailing List","url":"http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00025.html"},{"summary":"Openwall Mailing List","url":"http://www.openwall.com/lists/oss-security/2019/07/01/3"},{"summary":"GitHub Advisory","url":"https://github.com/advisories/GHSA-6c7v-2f49-8h26"},{"summary":"GitHub Advisory","url":"https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2019-10.yaml"},{"summary":"Google Mailing List","url":"https://groups.google.com/forum/#!topic/django-announce/Is4kLY9ZcZQ"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5VXXWIOQGXOB7JCGJ3CVUW673LDHKEYL"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2019-12781"},{"summary":"Seclists Exploit","url":"https://seclists.org/bugtraq/2019/Jul/10"},{"summary":"NetApp Advisory","url":"https://security.netapp.com/advisory/ntap-20190705-0002"},{"summary":"Debian Advisory","url":"https://www.debian.org/security/2019/dsa-4476"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":5.3,"baseSeverity":"MEDIUM","confidentialityImpact":"LOW","environmentalScore":5.3,"environmentalSeverity":"MEDIUM","integrityImpact":"NONE","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"NONE","modifiedConfidentialityImpact":"LOW","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":5.3,"temporalSeverity":"MEDIUM","userInteraction":"NONE","vectorString":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","version":"3.0"},"products":["django@vers:pypi/>=2.1|<2.1.10"]}],"title":"CVE-2019-12781/pkg:pypi/django@2.1.7"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2019-14234"]}],"cve":"CVE-2019-14234","cwe":{"id":"89","name":"Improper Neutralization of Special Elements used in an SQL Command"},"discovery_date":"2019-08-16T14:00:34","ids":[{"system_name":"CVE Record","text":"CVE-2019-14234"},{"system_name":"Debian Advisory","text":"DSA-4498"},{"system_name":"GitHub Advisory","text":"GHSA-6R97-CJ55-9HRQ"},{"system_name":"Gentoo Advisory","text":"GLSA-202004-17"},{"system_name":"NetApp Advisory","text":"NTAP-20190828-0002"},{"system_name":"GitHub Advisory","text":"PYSEC-2019-13"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"SQL Injection in Django"},{"category":"details","details":"Vulnerability Details","text":"# SQL Injection in Django An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to an error in shallow key transformation, key and index lookups for django.contrib.postgres.fields.JSONField, and key lookups for django.contrib.postgres.fields.HStoreField, were subject to SQL injection. This could, for example, be exploited via crafted use of \"OR 1=1\" in a key or index name to return all records, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to the QuerySet.filter() function.  ## Related CVE(s) CVE-2019-14234, PYSEC-2019-13"},{"category":"other","text":"Update to version 2.1.11 to resolve CVE-2019-14234 or update to version 3.2.15 to resolve additional vulnerabilities for this package.","title":"Recommended Action"}],"product_status":{"known_affected":["django@vers:pypi/>=2.1a1|<2.1.11"],"known_not_affected":["django@2.1.11"]},"references":[{"summary":"Open Suse Mailing List","url":"http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00025.html"},{"summary":"GitHub Advisory","url":"https://github.com/advisories/GHSA-6r97-cj55-9hrq"},{"summary":"GitHub Advisory","url":"https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2019-13.yaml"},{"summary":"Google Mailing List","url":"https://groups.google.com/forum/#!topic/django-announce/jIoju2-KLDs"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/STVX7X7IDWAH5SKE6MBMY3TEI6ZODBTK"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2019-14234"},{"summary":"Seclists Exploit","url":"https://seclists.org/bugtraq/2019/Aug/15"},{"summary":"Gentoo Advisory","url":"https://security.gentoo.org/glsa/202004-17"},{"summary":"NetApp Advisory","url":"https://security.netapp.com/advisory/ntap-20190828-0002"},{"summary":"Debian Advisory","url":"https://www.debian.org/security/2019/dsa-4498"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":9.8,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","environmentalScore":9.8,"environmentalSeverity":"CRITICAL","integrityImpact":"HIGH","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":9.8,"temporalSeverity":"CRITICAL","userInteraction":"NONE","vectorString":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.0"},"products":["django@vers:pypi/>=2.1a1|<2.1.11"]}],"title":"CVE-2019-14234/pkg:pypi/django@2.1.7"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2019-12308"]}],"cve":"CVE-2019-12308","cwe":{"id":"79","name":"Improper Neutralization of Input During Web Page Generation"},"discovery_date":"2019-06-10T18:43:25","ids":[{"system_name":"CVE Record","text":"CVE-2019-12308"},{"system_name":"Debian Advisory","text":"DSA-4476"},{"system_name":"GitHub Advisory","text":"GHSA-7RP2-FM2H-WCHJ"},{"system_name":"Gentoo Advisory","text":"GLSA-202004-17"},{"system_name":"GitHub Advisory","text":"PYSEC-2019-79"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Django Cross-site Scripting in AdminURLFieldWidget"},{"category":"details","details":"Vulnerability Details","text":"# Django Cross-site Scripting in AdminURLFieldWidget An issue was discovered in Django 1.11 before 1.11.21, 2.1 before 2.1.9, and 2.2 before 2.2.2. The clickable Current URL value displayed by the AdminURLFieldWidget displays the provided value without validating it as a safe URL. Thus, an unvalidated value stored in the database, or a value provided as a URL query parameter payload, could result in an clickable JavaScript link.  ## Related CVE(s) CVE-2019-12308, PYSEC-2019-79"},{"category":"other","text":"Update to version 2.1.9 to resolve CVE-2019-12308 or update to version 3.2.15 to resolve additional vulnerabilities for this package.","title":"Recommended Action"}],"product_status":{"known_affected":["django@vers:pypi/>=2.1a1|<2.1.9"],"known_not_affected":["django@2.1.9"]},"references":[{"summary":"Open Suse Mailing List","url":"http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00006.html"},{"summary":"Open Suse Mailing List","url":"http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00025.html"},{"summary":"Openwall Mailing List","url":"http://www.openwall.com/lists/oss-security/2019/06/03/2"},{"summary":"GitHub Advisory","url":"https://github.com/advisories/GHSA-7rp2-fm2h-wchj"},{"summary":"GitHub Advisory","url":"https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2019-79.yaml"},{"summary":"Google Mailing List","url":"https://groups.google.com/forum/#!topic/django-announce/GEbHU7YoVz8"},{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2019/06/msg00001.html"},{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2019/07/msg00001.html"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/USYRARSYB7PE3S2ZQO7PZNWMH7RPGL5G"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2019-12308"},{"summary":"Seclists Exploit","url":"https://seclists.org/bugtraq/2019/Jul/10"},{"summary":"Gentoo Advisory","url":"https://security.gentoo.org/glsa/202004-17"},{"summary":"Debian Advisory","url":"https://www.debian.org/security/2019/dsa-4476"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":6.1,"baseSeverity":"MEDIUM","confidentialityImpact":"LOW","environmentalScore":6.1,"environmentalSeverity":"MEDIUM","integrityImpact":"LOW","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"NONE","modifiedConfidentialityImpact":"LOW","modifiedIntegrityImpact":"LOW","modifiedPrivilegesRequired":"NONE","modifiedScope":"CHANGED","modifiedUserInteraction":"REQUIRED","privilegesRequired":"NONE","scope":"CHANGED","temporalScore":6.1,"temporalSeverity":"MEDIUM","userInteraction":"REQUIRED","vectorString":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","version":"3.0"},"products":["django@vers:pypi/>=2.1a1|<2.1.9"]}],"title":"CVE-2019-12308/pkg:pypi/django@2.1.7"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2022-36359"]}],"cve":"CVE-2022-36359","cwe":{"id":"494","name":"Download of Code Without Integrity Check"},"discovery_date":"2022-08-11T14:49:12","ids":[{"system_name":"CVE Record","text":"CVE-2022-36359"},{"system_name":"Debian Advisory","text":"DSA-5254"},{"system_name":"NetApp Advisory","text":"NTAP-20220915-0008"},{"system_name":"GitHub Advisory","text":"PYSEC-2022-245"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Django vulnerable to Reflected File Download attack "},{"category":"details","details":"Vulnerability Details","text":"# Django vulnerable to Reflected File Download attack  An issue was discovered in the HTTP FileResponse class in Django 3.2 before 3.2.15 and 4.0 before 4.0.7. An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a FileResponse when the filename is derived from user-supplied input.  ## Related CVE(s) BIT-django-2022-36359, CVE-2022-36359, CVE-2022-45442, GHSA-2x8x-jmrp-phxw, PYSEC-2022-245"},{"category":"other","text":"Update to version 3.2.15.","title":"Recommended Action"}],"product_status":{"known_affected":["django@vers:pypi/>=1.0.1|<=3.2rc1"],"known_not_affected":["django@3.2.15"]},"references":[{"summary":"Openwall Mailing List","url":"http://www.openwall.com/lists/oss-security/2022/08/03/1"},{"summary":"GitHub Advisory","url":"https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2022-245.yaml"},{"summary":"Google Mailing List","url":"https://groups.google.com/g/django-announce/c/8cz--gvaJr4"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HWY6DQWRVBALV73BPUVBXC3QIYUM24IK"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LTZVAKU5ALQWOKFTPISE257VCVIYGFQI"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-36359"},{"summary":"NetApp Advisory","url":"https://security.netapp.com/advisory/ntap-20220915-0008"},{"summary":"Debian Advisory","url":"https://www.debian.org/security/2022/dsa-5254"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":8.8,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","environmentalScore":8.8,"environmentalSeverity":"HIGH","integrityImpact":"HIGH","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"REQUIRED","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":8.8,"temporalSeverity":"HIGH","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","version":"3.1"},"products":["django@vers:pypi/>=1.0.1|<=3.2rc1"]}],"title":"CVE-2022-36359/pkg:pypi/django@2.1.7"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2019-14232"]}],"cve":"CVE-2019-14232","cwe":{"id":"400","name":"Uncontrolled Resource Consumption"},"discovery_date":"2019-08-06T01:43:29","ids":[{"system_name":"CVE Record","text":"CVE-2019-14232"},{"system_name":"Debian Advisory","text":"DSA-4498"},{"system_name":"GitHub Advisory","text":"GHSA-C4QH-4VGV-QC6G"},{"system_name":"Gentoo Advisory","text":"GLSA-202004-17"},{"system_name":"NetApp Advisory","text":"NTAP-20190828-0002"},{"system_name":"GitHub Advisory","text":"PYSEC-2019-11"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Django Denial-of-service in django.utils.text.Truncator"},{"category":"details","details":"Vulnerability Details","text":"# Django Denial-of-service in django.utils.text.Truncator An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If `django.utils.text.Truncator`'s `chars()` and `words()` methods were passed the `html=True` argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The `chars()` and `words()` methods are used to implement the `truncatechars_htm`l and `truncatewords_html` template filters, which were thus vulnerable.  ## Related CVE(s) CVE-2019-14232, PYSEC-2019-11"},{"category":"other","text":"Update to version 2.1.11 to resolve CVE-2019-14232 or update to version 3.2.15 to resolve additional vulnerabilities for this package.","title":"Recommended Action"}],"product_status":{"known_affected":["django@vers:pypi/>=2.1a1|<2.1.11"],"known_not_affected":["django@2.1.11"]},"references":[{"summary":"Open Suse Mailing List","url":"http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00006.html"},{"summary":"Open Suse Mailing List","url":"http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00025.html"},{"summary":"Openwall Mailing List","url":"http://www.openwall.com/lists/oss-security/2023/10/04/6"},{"summary":"Openwall Mailing List","url":"http://www.openwall.com/lists/oss-security/2024/03/04/1"},{"summary":"GitHub Advisory","url":"https://github.com/advisories/GHSA-c4qh-4vgv-qc6g"},{"summary":"GitHub Advisory","url":"https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2019-11.yaml"},{"summary":"GitHub Advisory","url":"https://github.com/pypa/advisory-db/tree/main/vulns/django/PYSEC-2019-11.yaml"},{"summary":"Google Mailing List","url":"https://groups.google.com/forum/#!topic/django-announce/jIoju2-KLDs"},{"summary":"Google Mailing List","url":"https://groups.google.com/forum/#%21topic/django-announce/jIoju2-KLDs"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/STVX7X7IDWAH5SKE6MBMY3TEI6ZODBTK"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/STVX7X7IDWAH5SKE6MBMY3TEI6ZODBTK"},{"summary":"Open Suse Mailing List","url":"https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/3LGJSPCN3VEG2UJPYCUB6TU75JTIV2TQ"},{"summary":"Open Suse Mailing List","url":"https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/5XTP44JEOSNXRVW4JDZXA5XGMBDZLWSW"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2019-14232"},{"summary":"Seclists Exploit","url":"https://seclists.org/bugtraq/2019/Aug/15"},{"summary":"Gentoo Advisory","url":"https://security.gentoo.org/glsa/202004-17"},{"summary":"NetApp Advisory","url":"https://security.netapp.com/advisory/ntap-20190828-0002"},{"summary":"Debian Advisory","url":"https://www.debian.org/security/2019/dsa-4498"},{"summary":"Openwall Mailing List","url":"https://www.openwall.com/lists/oss-security/2023/10/04/6"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","environmentalScore":7.5,"environmentalSeverity":"HIGH","integrityImpact":"NONE","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"NONE","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":7.5,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"},"products":["django@vers:pypi/>=2.1a1|<2.1.11"]}],"title":"CVE-2019-14232/pkg:pypi/django@2.1.7"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2019-14233"]}],"cve":"CVE-2019-14233","cwe":{"id":"400","name":"Uncontrolled Resource Consumption"},"discovery_date":"2019-08-06T01:43:33","ids":[{"system_name":"CVE Record","text":"CVE-2019-14233"},{"system_name":"Debian Advisory","text":"DSA-4498"},{"system_name":"GitHub Advisory","text":"GHSA-H5JV-4P7W-64JG"},{"system_name":"Gentoo Advisory","text":"GLSA-202004-17"},{"system_name":"NetApp Advisory","text":"NTAP-20190828-0002"},{"system_name":"GitHub Advisory","text":"PYSEC-2019-12"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Django Denial-of-service in strip_tags()"},{"category":"details","details":"Vulnerability Details","text":"# Django Denial-of-service in strip_tags() An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to the behaviour of the underlying HTMLParser, django.utils.html.strip_tags would be extremely slow to evaluate certain inputs containing large sequences of nested incomplete HTML entities.  ## Related CVE(s) CVE-2019-14233, PYSEC-2019-12"},{"category":"other","text":"Update to version 2.1.11 to resolve CVE-2019-14233 or update to version 3.2.15 to resolve additional vulnerabilities for this package.","title":"Recommended Action"}],"product_status":{"known_affected":["django@vers:pypi/>=2.1a1|<2.1.11"],"known_not_affected":["django@2.1.11"]},"references":[{"summary":"Open Suse Mailing List","url":"http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00006.html"},{"summary":"Open Suse Mailing List","url":"http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00025.html"},{"summary":"GitHub Advisory","url":"https://github.com/advisories/GHSA-h5jv-4p7w-64jg"},{"summary":"GitHub Advisory","url":"https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2019-12.yaml"},{"summary":"Google Mailing List","url":"https://groups.google.com/forum/#!topic/django-announce/jIoju2-KLDs"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/STVX7X7IDWAH5SKE6MBMY3TEI6ZODBTK"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2019-14233"},{"summary":"Seclists Exploit","url":"https://seclists.org/bugtraq/2019/Aug/15"},{"summary":"Gentoo Advisory","url":"https://security.gentoo.org/glsa/202004-17"},{"summary":"NetApp Advisory","url":"https://security.netapp.com/advisory/ntap-20190828-0002"},{"summary":"Debian Advisory","url":"https://www.debian.org/security/2019/dsa-4498"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","environmentalScore":7.5,"environmentalSeverity":"HIGH","integrityImpact":"NONE","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"NONE","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":7.5,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.0"},"products":["django@vers:pypi/>=2.1a1|<2.1.11"]}],"title":"CVE-2019-14233/pkg:pypi/django@2.1.7"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2020-7471"]}],"cve":"CVE-2020-7471","cwe":{"id":"89","name":"Improper Neutralization of Special Elements used in an SQL Command"},"discovery_date":"2020-02-11T21:03:20","ids":[{"system_name":"CVE Record","text":"CVE-2020-7471"},{"system_name":"Debian Advisory","text":"DSA-4629"},{"system_name":"GitHub Advisory","text":"GHSA-HMR4-M2H5-33QX"},{"system_name":"Gentoo Advisory","text":"GLSA-202004-17"},{"system_name":"NetApp Advisory","text":"NTAP-20200221-0006"},{"system_name":"GitHub Advisory","text":"PYSEC-2020-35"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"SQL injection in Django"},{"category":"details","details":"Vulnerability Details","text":"# SQL injection in Django Django 1.11 before 1.11.28, 2.2 before 2.2.10, and 3.0 before 3.0.3 allows SQL Injection if untrusted data is used as a StringAgg delimiter (e.g., in Django applications that offer downloads of data as a series of rows with a user-specified column delimiter). By passing a suitably crafted delimiter to a contrib.postgres.aggregates.StringAgg instance, it was possible to break escaping and inject malicious SQL.  ## Related CVE(s) BIT-django-2020-7471, CVE-2020-7471, PYSEC-2020-35"},{"category":"other","text":"Update to version 2.2.10 to resolve CVE-2020-7471 or update to version 3.2.15 to resolve additional vulnerabilities for this package.","title":"Recommended Action"}],"product_status":{"known_affected":["django@vers:pypi/>=2.0|<2.2.10"],"known_not_affected":["django@2.2.10"]},"references":[{"summary":"Openwall Mailing List","url":"http://www.openwall.com/lists/oss-security/2020/02/03/1"},{"summary":"GitHub Advisory","url":"https://github.com/advisories/GHSA-hmr4-m2h5-33qx"},{"summary":"GitHub Advisory","url":"https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2020-35.yaml"},{"summary":"Google Mailing List","url":"https://groups.google.com/forum/#!topic/django-announce/X45S86X5bZI"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4A2AP4T7RKPBCLTI2NNQG3T6MINDUUMZ"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-7471"},{"summary":"Seclists Exploit","url":"https://seclists.org/bugtraq/2020/Feb/30"},{"summary":"Gentoo Advisory","url":"https://security.gentoo.org/glsa/202004-17"},{"summary":"NetApp Advisory","url":"https://security.netapp.com/advisory/ntap-20200221-0006"},{"summary":"Debian Advisory","url":"https://www.debian.org/security/2020/dsa-4629"},{"summary":"Openwall Mailing List","url":"https://www.openwall.com/lists/oss-security/2020/02/03/1"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":9.8,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","environmentalScore":9.8,"environmentalSeverity":"CRITICAL","integrityImpact":"HIGH","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":9.8,"temporalSeverity":"CRITICAL","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"products":["django@vers:pypi/>=2.0|<2.2.10"]}],"title":"CVE-2020-7471/pkg:pypi/django@2.1.7"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2019-19118"]}],"cve":"CVE-2019-19118","cwe":{"id":"276","name":"Incorrect Default Permissions"},"discovery_date":"2019-12-04T21:26:28","ids":[{"system_name":"CVE Record","text":"CVE-2019-19118"},{"system_name":"GitHub Advisory","text":"GHSA-HVMF-R92R-27HR"},{"system_name":"Gentoo Advisory","text":"GLSA-202004-17"},{"system_name":"NetApp Advisory","text":"NTAP-20191217-0003"},{"system_name":"GitHub Advisory","text":"PYSEC-2019-15"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Django allows unintended model editing"},{"category":"details","details":"Vulnerability Details","text":"# Django allows unintended model editing Django 2.1 before 2.1.15 and 2.2 before 2.2.8 allows unintended model editing. A Django model admin displaying inline related models, where the user has view-only permissions to a parent model but edit permissions to the inline model, would be presented with an editing UI, allowing POST requests, for updating the inline model. Directly editing the view-only parent model was not possible, but the parent model's save() method was called, triggering potential side effects, and causing pre and post-save signal handlers to be invoked. (To resolve this, the Django admin is adjusted to require edit permissions on the parent model in order for inline models to be editable.)  ## Related CVE(s) CVE-2019-19118, PYSEC-2019-15"},{"category":"other","text":"Update to version 2.1.15 to resolve CVE-2019-19118 or update to version 3.2.15 to resolve additional vulnerabilities for this package.","title":"Recommended Action"}],"product_status":{"known_affected":["django@vers:pypi/>=2.1|<2.1.15"],"known_not_affected":["django@2.1.15"]},"references":[{"summary":"Openwall Mailing List","url":"http://www.openwall.com/lists/oss-security/2019/12/02/1"},{"summary":"GitHub Advisory","url":"https://github.com/advisories/GHSA-hvmf-r92r-27hr"},{"summary":"GitHub Advisory","url":"https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2019-15.yaml"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6R4HD22PVEVQ45H2JA2NXH443AYJOPL5"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2019-19118"},{"summary":"Gentoo Advisory","url":"https://security.gentoo.org/glsa/202004-17"},{"summary":"NetApp Advisory","url":"https://security.netapp.com/advisory/ntap-20191217-0003"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":6.5,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","environmentalScore":6.5,"environmentalSeverity":"MEDIUM","integrityImpact":"HIGH","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"NONE","modifiedConfidentialityImpact":"NONE","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"LOW","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"LOW","scope":"UNCHANGED","temporalScore":6.5,"temporalSeverity":"MEDIUM","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N","version":"3.1"},"products":["django@vers:pypi/>=2.1|<2.1.15"]}],"title":"CVE-2019-19118/pkg:pypi/django@2.1.7"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2024-45231"]}],"cve":"CVE-2024-45231","cwe":{"id":"203","name":"Observable Discrepancy"},"discovery_date":"2024-10-08T18:33:13","ids":[{"system_name":"CVE Record","text":"CVE-2024-45231"}],"notes":[{"audience":"developers","category":"other","text":"Observable Response Discrepancy","title":"Additional CWE: 204"},{"category":"description","details":"Vulnerability Description","text":"Django allows enumeration of user e-mail addresses"},{"category":"details","details":"Vulnerability Details","text":"# Django allows enumeration of user e-mail addresses An issue was discovered in Django v5.1.1, v5.0.9, and v4.2.16. The django.contrib.auth.forms.PasswordResetForm class, when used in a view implementing password reset flows, allows remote attackers to enumerate user e-mail addresses by sending password reset requests and observing the outcome (only when e-mail sending is consistently failing).  ## Related CVE(s) BIT-django-2024-45231, CVE-2024-45231"},{"category":"other","text":"No recommendation found for CVE-2024-45231. Updating to version 3.2.15 is recommended nonetheless in order to address additional vulnerabilities identified for this package.","title":"Recommended Action"}],"product_status":{"known_affected":["django@vers:pypi/>=1.0.1|<=4.2rc1"]},"references":[{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-45231"}],"scores":[{"cvss_v3":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":3.7,"baseSeverity":"LOW","confidentialityImpact":"LOW","environmentalScore":3.7,"environmentalSeverity":"LOW","integrityImpact":"NONE","modifiedAttackComplexity":"HIGH","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"NONE","modifiedConfidentialityImpact":"LOW","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":3.7,"temporalSeverity":"LOW","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N","version":"3.1"},"products":["django@vers:pypi/>=1.0.1|<=4.2rc1"]}],"title":"CVE-2024-45231/pkg:pypi/django@2.1.7"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2019-14235"]}],"cve":"CVE-2019-14235","cwe":{"id":"674","name":"Uncontrolled Recursion"},"discovery_date":"2019-08-06T01:43:31","ids":[{"system_name":"CVE Record","text":"CVE-2019-14235"},{"system_name":"Debian Advisory","text":"DSA-4498"},{"system_name":"GitHub Advisory","text":"GHSA-V9QG-3J8P-R63V"},{"system_name":"Gentoo Advisory","text":"GLSA-202004-17"},{"system_name":"NetApp Advisory","text":"NTAP-20190828-0002"},{"system_name":"GitHub Advisory","text":"PYSEC-2019-14"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Uncontrolled Recursion in Django"},{"category":"details","details":"Vulnerability Details","text":"# Uncontrolled Recursion in Django An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If passed certain inputs, django.utils.encoding.uri_to_iri could lead to significant memory usage due to a recursion when repercent-encoding invalid UTF-8 octet sequences.  ## Related CVE(s) CVE-2019-14235, PYSEC-2019-14"},{"category":"other","text":"Update to version 2.1.11 to resolve CVE-2019-14235 or update to version 3.2.15 to resolve additional vulnerabilities for this package.","title":"Recommended Action"}],"product_status":{"known_affected":["django@vers:pypi/>=2.1a1|<2.1.11"],"known_not_affected":["django@2.1.11"]},"references":[{"summary":"Open Suse Mailing List","url":"http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00006.html"},{"summary":"Open Suse Mailing List","url":"http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00025.html"},{"summary":"GitHub Advisory","url":"https://github.com/advisories/GHSA-v9qg-3j8p-r63v"},{"summary":"GitHub Advisory","url":"https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2019-14.yaml"},{"summary":"Google Mailing List","url":"https://groups.google.com/forum/#!topic/django-announce/jIoju2-KLDs"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/STVX7X7IDWAH5SKE6MBMY3TEI6ZODBTK"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2019-14235"},{"summary":"Seclists Exploit","url":"https://seclists.org/bugtraq/2019/Aug/15"},{"summary":"Gentoo Advisory","url":"https://security.gentoo.org/glsa/202004-17"},{"summary":"NetApp Advisory","url":"https://security.netapp.com/advisory/ntap-20190828-0002"},{"summary":"Debian Advisory","url":"https://www.debian.org/security/2019/dsa-4498"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","environmentalScore":7.5,"environmentalSeverity":"HIGH","integrityImpact":"NONE","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"NONE","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":7.5,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.0"},"products":["django@vers:pypi/>=2.1a1|<2.1.11"]}],"title":"CVE-2019-14235/pkg:pypi/django@2.1.7"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2019-19844"]}],"cve":"CVE-2019-19844","cwe":{"id":"640","name":"Weak Password Recovery Mechanism for Forgotten Password"},"discovery_date":"2020-01-16T22:35:12","ids":[{"system_name":"CVE Record","text":"CVE-2019-19844"},{"system_name":"Debian Advisory","text":"DSA-4598"},{"system_name":"GitHub Advisory","text":"GHSA-VFQ6-HQ5R-27R6"},{"system_name":"Gentoo Advisory","text":"GLSA-202004-17"},{"system_name":"NetApp Advisory","text":"NTAP-20200110-0003"},{"system_name":"GitHub Advisory","text":"PYSEC-2019-16"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Django Potential account hijack via password reset form"},{"category":"details","details":"Vulnerability Details","text":"# Django Potential account hijack via password reset form Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user's email address after case transformation of Unicode characters) would allow an attacker to be sent a password reset token for the matched user account. (One mitigation in the new releases is to send password reset tokens only to the registered user email address.)  ## Related CVE(s) CVE-2019-19844, PYSEC-2019-16"},{"category":"other","text":"Update to version 2.2.9 to resolve CVE-2019-19844 or update to version 3.2.15 to resolve additional vulnerabilities for this package.","title":"Recommended Action"}],"product_status":{"known_affected":["django@vers:pypi/>=2.0|<2.2.9"],"known_not_affected":["django@2.2.9"]},"references":[{"summary":"Packetstormsecurity Exploit","url":"http://packetstormsecurity.com/files/155872/Django-Account-Hijack.html"},{"summary":"GitHub Advisory","url":"https://github.com/advisories/GHSA-vfq6-hq5r-27r6"},{"summary":"GitHub Advisory","url":"https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2019-16.yaml"},{"summary":"Google Mailing List","url":"https://groups.google.com/forum/#!topic/django-announce/3oaB2rVH3a0"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HCM2DPUI7TOZWN4A6JFQFUVQ2XGE7GUD"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2019-19844"},{"summary":"Seclists Exploit","url":"https://seclists.org/bugtraq/2020/Jan/9"},{"summary":"Gentoo Advisory","url":"https://security.gentoo.org/glsa/202004-17"},{"summary":"NetApp Advisory","url":"https://security.netapp.com/advisory/ntap-20200110-0003"},{"summary":"Debian Advisory","url":"https://www.debian.org/security/2020/dsa-4598"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":9.8,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","environmentalScore":9.8,"environmentalSeverity":"CRITICAL","integrityImpact":"HIGH","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":9.8,"temporalSeverity":"CRITICAL","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"products":["django@vers:pypi/>=2.0|<2.2.9"]}],"title":"CVE-2019-19844/pkg:pypi/django@2.1.7"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2023-4863"]}],"cve":"CVE-2023-4863","cwe":{"id":"787","name":"Out-of-bounds Write"},"discovery_date":"2023-09-12T15:30:20","ids":[{"system_name":"Bentley Advisory","text":"BE-2023-0001"},{"system_name":"CVE Record","text":"CVE-2023-4863"},{"system_name":"Debian Advisory","text":"DSA-5496"},{"system_name":"Debian Advisory","text":"DSA-5497"},{"system_name":"Debian Advisory","text":"DSA-5498"},{"system_name":"Gentoo Advisory","text":"GLSA-202309-05"},{"system_name":"Gentoo Advisory","text":"GLSA-202401-10"},{"system_name":"Mozilla Advisory","text":"MFSA2023-40"},{"system_name":"NetApp Advisory","text":"NTAP-20230929-0011"},{"system_name":"Rustsec Advisory","text":"RUSTSEC-2023-0060"},{"system_name":"Rustsec Advisory","text":"RUSTSEC-2023-0061"},{"system_name":"Suse Bugzilla","text":"SUSE-BUGZILLA-1215231"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"libwebp: OOB write in BuildHuffmanTable"},{"category":"details","details":"Vulnerability Details","text":"# libwebp: OOB write in BuildHuffmanTable Heap buffer overflow in libwebp allow a remote attacker to perform an out of bounds memory write via a crafted HTML page.   ## Related CVE(s) A-299477569, ASB-A-299477569, CVE-2023-4863, CVE-2023-5129, RUSTSEC-2023-0060, RUSTSEC-2023-0061"},{"category":"other","text":"No recommendation found for CVE-2023-4863. Updating to version 10.3.0 is recommended nonetheless in order to address additional vulnerabilities identified for this package.","title":"Recommended Action"}],"product_status":{"known_affected":["pillow@vers:pypi/>=1.0|<=9.5.0"]},"references":[{"summary":"Openwall Mailing List","url":"http://www.openwall.com/lists/oss-security/2023/09/21/4"},{"summary":"Openwall Mailing List","url":"http://www.openwall.com/lists/oss-security/2023/09/22/1"},{"summary":"Openwall Mailing List","url":"http://www.openwall.com/lists/oss-security/2023/09/22/3"},{"summary":"Openwall Mailing List","url":"http://www.openwall.com/lists/oss-security/2023/09/22/4"},{"summary":"Openwall Mailing List","url":"http://www.openwall.com/lists/oss-security/2023/09/22/5"},{"summary":"Openwall Mailing List","url":"http://www.openwall.com/lists/oss-security/2023/09/22/6"},{"summary":"Openwall Mailing List","url":"http://www.openwall.com/lists/oss-security/2023/09/22/7"},{"summary":"Openwall Mailing List","url":"http://www.openwall.com/lists/oss-security/2023/09/22/8"},{"summary":"Openwall Mailing List","url":"http://www.openwall.com/lists/oss-security/2023/09/26/1"},{"summary":"Openwall Mailing List","url":"http://www.openwall.com/lists/oss-security/2023/09/26/7"},{"summary":"Openwall Mailing List","url":"http://www.openwall.com/lists/oss-security/2023/09/28/1"},{"summary":"Openwall Mailing List","url":"http://www.openwall.com/lists/oss-security/2023/09/28/2"},{"summary":"Openwall Mailing List","url":"http://www.openwall.com/lists/oss-security/2023/09/28/4"},{"summary":"Suse Bugzilla","url":"https://bugzilla.suse.com/show_bug.cgi?id=1215231"},{"summary":"Googleblog Advisory","url":"https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_11.html"},{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2023/09/msg00015.html"},{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2023/09/msg00016.html"},{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2023/09/msg00017.html"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6T655QF7CQ3DYAMPFV7IECQYGDEUIVVT"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FYYKLG6CRGEDTNRBSU26EEWAO6D6U645"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KUQ7CTX3W372X3UY56VVNAHCH6H2F4X3"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OZDGWWMJREPAGKWCJKSCM4WYLANSKIFX"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PYZV7TMKF4QHZ54SFJX54BDN52VHGGCX"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WHOLML7N2G5KCAZXFWC5IDFFHSQS5SDB"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WTRUIS3564P7ZLM2S2IH4Y4KZ327LI4I"},{"summary":"CVE Record","url":"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-4863"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-4863"},{"summary":"Rustsec Advisory","url":"https://rustsec.org/advisories/RUSTSEC-2023-0060.html"},{"summary":"Rustsec Advisory","url":"https://rustsec.org/advisories/RUSTSEC-2023-0061.html"},{"summary":"CVE Record","url":"https://security-tracker.debian.org/tracker/CVE-2023-4863"},{"summary":"Gentoo Advisory","url":"https://security.gentoo.org/glsa/202309-05"},{"summary":"Gentoo Advisory","url":"https://security.gentoo.org/glsa/202401-10"},{"summary":"NetApp Advisory","url":"https://security.netapp.com/advisory/ntap-20230929-0011"},{"summary":"Bentley Advisory","url":"https://www.bentley.com/advisories/be-2023-0001"},{"summary":"Debian Advisory","url":"https://www.debian.org/security/2023/dsa-5496"},{"summary":"Debian Advisory","url":"https://www.debian.org/security/2023/dsa-5497"},{"summary":"Debian Advisory","url":"https://www.debian.org/security/2023/dsa-5498"},{"summary":"Mozilla Advisory","url":"https://www.mozilla.org/en-US/security/advisories/mfsa2023-40"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":8.8,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","environmentalScore":8.8,"environmentalSeverity":"HIGH","integrityImpact":"HIGH","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"REQUIRED","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":8.8,"temporalSeverity":"HIGH","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","version":"3.1"},"products":["pillow@vers:pypi/>=1.0|<=9.5.0"]}],"title":"CVE-2023-4863/pkg:pypi/pillow@5.4.1"},{"cve":"CVE-2023-50447","cwe":{"id":"94","name":"Improper Control of Generation of Code"},"discovery_date":"2024-01-19T21:30:35","ids":[{"system_name":"CVE Record","text":"CVE-2023-50447"}],"notes":[{"audience":"developers","category":"other","text":"Improper Neutralization of Directives in Dynamically Evaluated Code","title":"Additional CWE: 95"},{"category":"description","details":"Vulnerability Description","text":"Arbitrary Code Execution in Pillow"},{"category":"details","details":"Vulnerability Details","text":"# Arbitrary Code Execution in Pillow Pillow through 10.1.0 allows PIL.ImageMath.eval Arbitrary Code Execution via the environment parameter, a different vulnerability than CVE-2022-22817 (which was about the expression parameter).  ## Related CVE(s) BIT-pillow-2023-50447, CVE-2023-50447"},{"category":"other","text":"No recommendation found for CVE-2023-50447. Updating to version 10.3.0 is recommended nonetheless in order to address additional vulnerabilities identified for this package.","title":"Recommended Action"}],"product_status":{"known_affected":["pillow@vers:pypi/>=1.0|<=9.5.0"]},"references":[{"summary":"Openwall Mailing List","url":"http://www.openwall.com/lists/oss-security/2024/01/20/1"},{"summary":"CVE Record","url":"https://devhub.checkmarx.com/cve-details/CVE-2023-50447"},{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2024/01/msg00019.html"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-50447"}],"scores":[{"cvss_v3":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":8.1,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","environmentalScore":8.1,"environmentalSeverity":"HIGH","integrityImpact":"HIGH","modifiedAttackComplexity":"HIGH","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":8.1,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"products":["pillow@vers:pypi/>=1.0|<=9.5.0"]}],"title":"CVE-2023-50447/pkg:pypi/pillow@5.4.1"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2021-27922"]}],"cve":"CVE-2021-27922","cwe":{"id":"400","name":"Uncontrolled Resource Consumption"},"discovery_date":"2021-03-18T19:55:21","ids":[{"system_name":"CVE Record","text":"CVE-2021-27922"},{"system_name":"GitHub Advisory","text":"GHSA-3WVG-MJ6G-M9CV"},{"system_name":"Gentoo Advisory","text":"GLSA-202107-33"},{"system_name":"GitHub Advisory","text":"PYSEC-2021-41"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Pillow Uncontrolled Resource Consumption"},{"category":"details","details":"Vulnerability Details","text":"# Pillow Uncontrolled Resource Consumption Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICNS container, and thus an attempted memory allocation can be very large.  ## Related CVE(s) BIT-pillow-2021-27922, CVE-2021-27922, PYSEC-2021-41"},{"category":"other","text":"Update to version 8.1.1 to resolve CVE-2021-27922 or update to version 10.3.0 to resolve additional vulnerabilities for this package.","title":"Recommended Action"}],"product_status":{"known_affected":["pillow@vers:pypi/>=1.0|<=8.1.0"],"known_not_affected":["pillow@8.1.1"]},"references":[{"summary":"GitHub Advisory","url":"https://github.com/advisories/GHSA-3wvg-mj6g-m9cv"},{"summary":"GitHub Advisory","url":"https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2021-41.yaml"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S7G44Z33J4BNI2DPDROHWGVG2U7ZH5JU"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TQQY6472RX4J2SUJENWDZAWKTJJGP2ML"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZTSY25UJU7NJUFHH3HWT575LT4TDFWBZ"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-27922"},{"summary":"Gentoo Advisory","url":"https://security.gentoo.org/glsa/202107-33"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","environmentalScore":7.5,"environmentalSeverity":"HIGH","integrityImpact":"NONE","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"NONE","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":7.5,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"},"products":["pillow@vers:pypi/>=1.0|<=8.1.0"]}],"title":"CVE-2021-27922/pkg:pypi/pillow@5.4.1"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2020-10378"]}],"cve":"CVE-2020-10378","cwe":{"id":"125","name":"Out-of-bounds Read"},"discovery_date":"2021-11-03T18:04:53","ids":[{"system_name":"CVE Record","text":"CVE-2020-10378"},{"system_name":"GitHub Advisory","text":"GHSA-3XV8-3J54-HGRP"},{"system_name":"GitHub Advisory","text":"PYSEC-2020-77"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Out-of-bounds read in Pillow"},{"category":"details","details":"Vulnerability Details","text":"# Out-of-bounds read in Pillow In `libImaging/PcxDecode.c` in Pillow before 7.1.0, an out-of-bounds read can occur when reading PCX files where `state->shuffle` is instructed to read beyond `state->buffer`.  ## Related CVE(s) BIT-pillow-2020-10378, CVE-2020-10378"},{"category":"other","text":"Update to version 7.1.0 to resolve CVE-2020-10378 or update to version 10.3.0 to resolve additional vulnerabilities for this package.","title":"Recommended Action"}],"product_status":{"known_affected":["pillow@vers:pypi/>=1.0|<=7.0.0"],"known_not_affected":["pillow@7.1.0"]},"references":[{"summary":"GitHub Advisory","url":"https://github.com/advisories/GHSA-3xv8-3j54-hgrp"},{"summary":"GitHub Advisory","url":"https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2020-77.yaml"},{"summary":"GitHub Advisory","url":"https://github.com/pypa/advisory-db/blob/7872b0a91b4d980f749e6d75a81f8cc1af32829f/vulns/pillow/PYSEC-2020-77.yaml"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BEBCPE4F2VHTIT6EZA2YZQZLPVDEBJGD"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HOKHNWV2VS5GESY7IBD237E7C6T3I427"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-10378"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"LOCAL","availabilityImpact":"NONE","baseScore":5.5,"baseSeverity":"MEDIUM","confidentialityImpact":"HIGH","environmentalScore":5.5,"environmentalSeverity":"MEDIUM","integrityImpact":"NONE","modifiedAttackComplexity":"LOW","modifiedAttackVector":"LOCAL","modifiedAvailabilityImpact":"NONE","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"REQUIRED","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":5.5,"temporalSeverity":"MEDIUM","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N","version":"3.1"},"products":["pillow@vers:pypi/>=1.0|<=7.0.0"]}],"title":"CVE-2020-10378/pkg:pypi/pillow@5.4.1"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2020-11538"]}],"cve":"CVE-2020-11538","cwe":{"id":"125","name":"Out-of-bounds Read"},"discovery_date":"2020-07-27T21:52:36","ids":[{"system_name":"CVE Record","text":"CVE-2020-11538"},{"system_name":"GitHub Advisory","text":"GHSA-43FQ-W8QQ-V88H"},{"system_name":"GitHub Advisory","text":"PYSEC-2020-80"},{"system_name":"Snyk Advisory","text":"SNYK-PYTHON-PILLOW-574574"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Out-of-bounds read in Pillow"},{"category":"details","details":"Vulnerability Details","text":"# Out-of-bounds read in Pillow In libImaging/SgiRleDecode.c in Pillow through 7.0.0, a number of out-of-bounds reads exist in the parsing of SGI image files, a different issue than CVE-2020-5311.  ## Related CVE(s) BIT-pillow-2020-11538, CVE-2020-11538, PYSEC-2020-80"},{"category":"other","text":"No recommendation found for CVE-2020-11538. Updating to version 10.3.0 is recommended nonetheless in order to address additional vulnerabilities identified for this package.","title":"Recommended Action"}],"product_status":{"known_affected":["pillow@vers:pypi/>=1.0|<=7.0.0"]},"references":[{"summary":"GitHub Advisory","url":"https://github.com/advisories/GHSA-43fq-w8qq-v88h"},{"summary":"GitHub Advisory","url":"https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2020-80.yaml"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BEBCPE4F2VHTIT6EZA2YZQZLPVDEBJGD"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HOKHNWV2VS5GESY7IBD237E7C6T3I427"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-11538"},{"summary":"Snyk Advisory","url":"https://snyk.io/vuln/SNYK-PYTHON-PILLOW-574574"}],"scores":[{"cvss_v3":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":8.1,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","environmentalScore":8.1,"environmentalSeverity":"HIGH","integrityImpact":"HIGH","modifiedAttackComplexity":"HIGH","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":8.1,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"products":["pillow@vers:pypi/>=1.0|<=7.0.0"]}],"title":"CVE-2020-11538/pkg:pypi/pillow@5.4.1"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2024-28219"]}],"cve":"CVE-2024-28219","cwe":{"id":"120","name":"Buffer Copy without Checking Size of Input"},"discovery_date":"2024-04-03T03:30:30","ids":[{"system_name":"CVE Record","text":"CVE-2024-28219"}],"notes":[{"audience":"developers","category":"other","text":"Use of Potentially Dangerous Function","title":"Additional CWE: 676"},{"audience":"developers","category":"other","text":"Integer Overflow to Buffer Overflow","title":"Additional CWE: 680"},{"category":"description","details":"Vulnerability Description","text":"Pillow buffer overflow vulnerability"},{"category":"details","details":"Vulnerability Details","text":"# Pillow buffer overflow vulnerability In _imagingcms.c in Pillow before 10.3.0, a buffer overflow exists because strcpy is used instead of strncpy.  ## Related CVE(s) BIT-pillow-2024-28219, CVE-2024-28219"},{"category":"other","text":"Update to version 10.3.0.","title":"Recommended Action"}],"product_status":{"known_affected":["pillow@vers:pypi/>=1.0|<=9.5.0"],"known_not_affected":["pillow@10.3.0"]},"references":[{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2024/04/msg00008.html"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4XLPUT3VK4GQ6EVY525TT2QNUIXNRU5M"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-28219"}],"scores":[{"cvss_v3":{"attackComplexity":"HIGH","attackVector":"LOCAL","availabilityImpact":"HIGH","baseScore":6.7,"baseSeverity":"MEDIUM","confidentialityImpact":"HIGH","environmentalScore":6.7,"environmentalSeverity":"MEDIUM","integrityImpact":"HIGH","modifiedAttackComplexity":"HIGH","modifiedAttackVector":"LOCAL","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"LOW","modifiedScope":"UNCHANGED","modifiedUserInteraction":"REQUIRED","privilegesRequired":"LOW","scope":"UNCHANGED","temporalScore":6.7,"temporalSeverity":"MEDIUM","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H","version":"3.1"},"products":["pillow@vers:pypi/>=1.0|<=9.5.0"]}],"title":"CVE-2024-28219/pkg:pypi/pillow@5.4.1"},{"acknowledgements":[{"organization":"GitHub","urls":["https://github.com/advisories/GHSA-4fx9-vc88-q2xc"]}],"cwe":{"id":"400","name":"Uncontrolled Resource Consumption"},"discovery_date":"2022-03-11T23:39:27","ids":[{"system_name":"GitHub Advisory","text":"GHSA-4FX9-VC88-Q2XC"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Infinite loop in Pillow"},{"category":"details","details":"Vulnerability Details","text":"# Infinite loop in Pillow JpegImagePlugin may append an EOF marker to the end of a truncated file, so that the last segment of the data will still be processed by the decoder.  If the EOF marker is not detected as such however, this could lead to an infinite loop where JpegImagePlugin keeps trying to end the file."},{"category":"other","text":"No recommendation found for GHSA-4fx9-vc88-q2xc. Updating to version 10.3.0 is recommended nonetheless in order to address additional vulnerabilities identified for this package.","title":"Recommended Action"}],"product_status":{"known_affected":["pillow@vers:pypi/>=1.0|<=8.4.0"]},"references":[{"summary":"GitHub Advisory","url":"https://github.com/advisories/GHSA-4fx9-vc88-q2xc"}],"scores":[{"cvss_v3":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":3.1,"baseSeverity":"LOW","confidentialityImpact":"LOW","environmentalScore":3.1,"environmentalSeverity":"LOW","integrityImpact":"NONE","modifiedAttackComplexity":"HIGH","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"NONE","modifiedConfidentialityImpact":"LOW","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"REQUIRED","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":3.1,"temporalSeverity":"LOW","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N","version":"3.1"},"products":["pillow@vers:pypi/>=1.0|<=8.4.0"]}],"title":"GHSA-4fx9-vc88-q2xc/pkg:pypi/pillow@5.4.1"},{"acknowledgements":[{"organization":"GitHub","urls":["https://github.com/advisories/GHSA-56pw-mpj4-fxww"]}],"discovery_date":"2023-10-05T00:06:58","ids":[{"system_name":"CVE Record","text":"CVE-2023-4863"},{"system_name":"CVE Record","text":"CVE-2023-5129"},{"system_name":"GitHub Advisory","text":"GHSA-56PW-MPJ4-FXWW"},{"system_name":"GitHub Advisory","text":"PYSEC-2023-175"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Bundled libwebp in Pillow vulnerable"},{"category":"details","details":"Vulnerability Details","text":"# Bundled libwebp in Pillow vulnerable Pillow versions before v10.0.1 bundled libwebp binaries in wheels that are vulnerable to CVE-2023-5129 (previously CVE-2023-4863). Pillow v10.0.1 upgrades the bundled libwebp binary to v1.3.2."},{"category":"other","text":"No recommendation found for GHSA-56pw-mpj4-fxww. Updating to version 10.3.0 is recommended nonetheless in order to address additional vulnerabilities identified for this package.","title":"Recommended Action"}],"product_status":{"known_affected":["pillow@vers:pypi/>=1.0|<=9.5.0"]},"references":[{"summary":"GitHub Advisory","url":"https://github.com/advisories/GHSA-56pw-mpj4-fxww"},{"summary":"GitHub Advisory","url":"https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2023-175.yaml"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-4863"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-5129"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"LOW","baseScore":7.3,"baseSeverity":"HIGH","confidentialityImpact":"LOW","environmentalScore":7.3,"environmentalSeverity":"HIGH","integrityImpact":"LOW","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"LOW","modifiedConfidentialityImpact":"LOW","modifiedIntegrityImpact":"LOW","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":7.3,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L","version":"3.1"},"products":["pillow@vers:pypi/>=1.0|<=9.5.0"]}],"title":"GHSA-56pw-mpj4-fxww/pkg:pypi/pillow@5.4.1"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2021-25289"]}],"cve":"CVE-2021-25289","cwe":{"id":"787","name":"Out-of-bounds Write"},"discovery_date":"2021-03-29T16:35:16","ids":[{"system_name":"CVE Record","text":"CVE-2021-25289"},{"system_name":"GitHub Advisory","text":"GHSA-57H3-9RGR-C24M"},{"system_name":"Gentoo Advisory","text":"GLSA-202107-33"},{"system_name":"GitHub Advisory","text":"PYSEC-2021-35"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Out of bounds write in Pillow"},{"category":"details","details":"Vulnerability Details","text":"# Out of bounds write in Pillow An issue was discovered in Pillow before 8.1.1. TiffDecode has a heap-based buffer overflow when decoding crafted YCbCr files because of certain interpretation conflicts with LibTIFF in RGBA mode. NOTE: this issue exists because of an incomplete fix for CVE-2020-35654.  ## Related CVE(s) BIT-pillow-2021-25289, CVE-2021-25289, PYSEC-2021-35"},{"category":"other","text":"Update to version 8.1.1 to resolve CVE-2021-25289 or update to version 10.3.0 to resolve additional vulnerabilities for this package.","title":"Recommended Action"}],"product_status":{"known_affected":["pillow@vers:pypi/>=1.0|<=8.1.0"],"known_not_affected":["pillow@8.1.1"]},"references":[{"summary":"GitHub Advisory","url":"https://github.com/advisories/GHSA-57h3-9rgr-c24m"},{"summary":"GitHub Advisory","url":"https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2021-35.yaml"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-25289"},{"summary":"Gentoo Advisory","url":"https://security.gentoo.org/glsa/202107-33"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":9.8,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","environmentalScore":9.8,"environmentalSeverity":"CRITICAL","integrityImpact":"HIGH","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":9.8,"temporalSeverity":"CRITICAL","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"products":["pillow@vers:pypi/>=1.0|<=8.1.0"]}],"title":"CVE-2021-25289/pkg:pypi/pillow@5.4.1"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2019-19911"]}],"cve":"CVE-2019-19911","cwe":{"id":"190","name":"Integer Overflow or Wraparound"},"discovery_date":"2020-04-01T16:36:44","ids":[{"system_name":"CVE Record","text":"CVE-2019-19911"},{"system_name":"Debian Advisory","text":"DSA-4631"},{"system_name":"GitHub Advisory","text":"GHSA-5GM3-PX64-RW72"},{"system_name":"GitHub Advisory","text":"PYSEC-2020-172"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Uncontrolled Resource Consumption in Pillow"},{"category":"details","details":"Vulnerability Details","text":"# Uncontrolled Resource Consumption in Pillow There is a DoS vulnerability in Pillow before 6.2.2 caused by FpxImagePlugin.py calling the range function on an unvalidated 32-bit integer if the number of bands is large. On Windows running 32-bit Python, this results in an OverflowError or MemoryError due to the 2 GB limit. However, on Linux running 64-bit Python this results in the process being terminated by the OOM killer.  ## Related CVE(s) CVE-2019-19911, PYSEC-2020-172"},{"category":"other","text":"Update to version 6.2.2 to resolve CVE-2019-19911 or update to version 10.3.0 to resolve additional vulnerabilities for this package.","title":"Recommended Action"}],"product_status":{"known_affected":["pillow@vers:pypi/>=1.0|<=6.2.1"],"known_not_affected":["pillow@6.2.2"]},"references":[{"summary":"GitHub Advisory","url":"https://github.com/advisories/GHSA-5gm3-px64-rw72"},{"summary":"GitHub Advisory","url":"https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2020-172.yaml"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3DUMIBUYGJRAVJCTFUWBRLVQKOUTVX5P"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2019-19911"},{"summary":"Debian Advisory","url":"https://www.debian.org/security/2020/dsa-4631"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","environmentalScore":7.5,"environmentalSeverity":"HIGH","integrityImpact":"NONE","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"NONE","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":7.5,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"},"products":["pillow@vers:pypi/>=1.0|<=6.2.1"]}],"title":"CVE-2019-19911/pkg:pypi/pillow@5.4.1"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2021-34552"]}],"cve":"CVE-2021-34552","cwe":{"id":"120","name":"Buffer Copy without Checking Size of Input"},"discovery_date":"2021-10-05T20:24:41","ids":[{"system_name":"CVE Record","text":"CVE-2021-34552"},{"system_name":"GitHub Advisory","text":"GHSA-7534-MM45-C74V"},{"system_name":"Gentoo Advisory","text":"GLSA-202211-10"},{"system_name":"GitHub Advisory","text":"PYSEC-2021-331"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Buffer Overflow in Pillow"},{"category":"details","details":"Vulnerability Details","text":"# Buffer Overflow in Pillow Pillow through 8.2.0 and PIL (aka Python Imaging Library) through 1.1.7 allow an attacker to pass controlled parameters directly into a convert function to trigger a buffer overflow in Convert.c.  ## Related CVE(s) BIT-pillow-2021-34552, CVE-2021-34552, PYSEC-2021-331"},{"category":"other","text":"No recommendation found for CVE-2021-34552. Updating to version 10.3.0 is recommended nonetheless in order to address additional vulnerabilities identified for this package.","title":"Recommended Action"}],"product_status":{"known_affected":["pillow@vers:pypi/>=1.0|<=8.2.0"]},"references":[{"summary":"GitHub Advisory","url":"https://github.com/advisories/GHSA-7534-mm45-c74v"},{"summary":"GitHub Advisory","url":"https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2021-331.yaml"},{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2021/07/msg00018.html"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7V6LCG525ARIX6LX5QRYNAWVDD2MD2SV"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VUGBBT63VL7G4JNOEIPDJIOC34ZFBKNJ"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-34552"},{"summary":"Gentoo Advisory","url":"https://security.gentoo.org/glsa/202211-10"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":9.8,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","environmentalScore":9.8,"environmentalSeverity":"CRITICAL","integrityImpact":"HIGH","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":9.8,"temporalSeverity":"CRITICAL","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"products":["pillow@vers:pypi/>=1.0|<=8.2.0"]}],"title":"CVE-2021-34552/pkg:pypi/pillow@5.4.1"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2021-25287"]}],"cve":"CVE-2021-25287","cwe":{"id":"125","name":"Out-of-bounds Read"},"discovery_date":"2021-06-08T18:49:02","ids":[{"system_name":"CVE Record","text":"CVE-2021-25287"},{"system_name":"GitHub Advisory","text":"GHSA-77GC-V2XV-RVVH"},{"system_name":"Gentoo Advisory","text":"GLSA-202107-33"},{"system_name":"GitHub Advisory","text":"PYSEC-2021-137"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Out-of-bounds Read in Pillow"},{"category":"details","details":"Vulnerability Details","text":"# Out-of-bounds Read in Pillow An issue was discovered in Pillow before 8.2.0. There is an out-of-bounds read in J2kDecode, in j2ku_graya_la.  ## Related CVE(s) BIT-pillow-2021-25287, CVE-2021-25287, PYSEC-2021-137"},{"category":"other","text":"Update to version 8.2.0 to resolve CVE-2021-25287 or update to version 10.3.0 to resolve additional vulnerabilities for this package.","title":"Recommended Action"}],"product_status":{"known_affected":["pillow@vers:pypi/>=2.4.0|<8.2.0"],"known_not_affected":["pillow@8.2.0"]},"references":[{"summary":"GitHub Advisory","url":"https://github.com/advisories/GHSA-77gc-v2xv-rvvh"},{"summary":"GitHub Advisory","url":"https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2021-137.yaml"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-25287"},{"summary":"Gentoo Advisory","url":"https://security.gentoo.org/glsa/202107-33"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":9.1,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","environmentalScore":9.1,"environmentalSeverity":"CRITICAL","integrityImpact":"NONE","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":9.1,"temporalSeverity":"CRITICAL","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H","version":"3.1"},"products":["pillow@vers:pypi/>=2.4.0|<8.2.0"]}],"title":"CVE-2021-25287/pkg:pypi/pillow@5.4.1"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2021-28676"]}],"cve":"CVE-2021-28676","cwe":{"id":"835","name":"Loop with Unreachable Exit Condition"},"discovery_date":"2021-06-08T18:48:53","ids":[{"system_name":"CVE Record","text":"CVE-2021-28676"},{"system_name":"GitHub Advisory","text":"GHSA-7R7M-5H27-29HP"},{"system_name":"Gentoo Advisory","text":"GLSA-202107-33"},{"system_name":"GitHub Advisory","text":"PYSEC-2021-92"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Potential infinite loop in Pillow"},{"category":"details","details":"Vulnerability Details","text":"# Potential infinite loop in Pillow An issue was discovered in Pillow before 8.2.0. For FLI data, FliDecode did not properly check that the block advance was non-zero, potentially leading to an infinite loop on load.  ## Related CVE(s) BIT-pillow-2021-28676, CVE-2021-28676, PYSEC-2021-92"},{"category":"other","text":"Update to version 8.2.0 to resolve CVE-2021-28676 or update to version 10.3.0 to resolve additional vulnerabilities for this package.","title":"Recommended Action"}],"product_status":{"known_affected":["pillow@vers:pypi/>=1.0|<=8.1.2"],"known_not_affected":["pillow@8.2.0"]},"references":[{"summary":"GitHub Advisory","url":"https://github.com/advisories/GHSA-7r7m-5h27-29hp"},{"summary":"GitHub Advisory","url":"https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2021-92.yaml"},{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2021/07/msg00018.html"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-28676"},{"summary":"Gentoo Advisory","url":"https://security.gentoo.org/glsa/202107-33"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","environmentalScore":7.5,"environmentalSeverity":"HIGH","integrityImpact":"NONE","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"NONE","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":7.5,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"},"products":["pillow@vers:pypi/>=1.0|<=8.1.2"]}],"title":"CVE-2021-28676/pkg:pypi/pillow@5.4.1"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2020-10379"]}],"cve":"CVE-2020-10379","cwe":{"id":"120","name":"Buffer Copy without Checking Size of Input"},"discovery_date":"2020-07-27T21:52:41","ids":[{"system_name":"CVE Record","text":"CVE-2020-10379"},{"system_name":"GitHub Advisory","text":"GHSA-8843-M7MW-MXQM"},{"system_name":"GitHub Advisory","text":"PYSEC-2020-78"},{"system_name":"Snyk Advisory","text":"SNYK-PYTHON-PILLOW-574577"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Buffer overflow in Pillow"},{"category":"details","details":"Vulnerability Details","text":"# Buffer overflow in Pillow In Pillow before 7.1.0, there are two Buffer Overflows in `libImaging/TiffDecode.c`.  ## Related CVE(s) BIT-pillow-2020-10379, CVE-2020-10379"},{"category":"other","text":"Update to version 7.1.0 to resolve CVE-2020-10379 or update to version 10.3.0 to resolve additional vulnerabilities for this package.","title":"Recommended Action"}],"product_status":{"known_affected":["pillow@vers:pypi/>=1.0|<=7.0.0"],"known_not_affected":["pillow@7.1.0"]},"references":[{"summary":"GitHub Advisory","url":"https://github.com/advisories/GHSA-8843-m7mw-mxqm"},{"summary":"GitHub Advisory","url":"https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2020-78.yaml"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BEBCPE4F2VHTIT6EZA2YZQZLPVDEBJGD"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HOKHNWV2VS5GESY7IBD237E7C6T3I427"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-10379"},{"summary":"Snyk Advisory","url":"https://snyk.io/vuln/SNYK-PYTHON-PILLOW-574577"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"LOCAL","availabilityImpact":"HIGH","baseScore":7.8,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","environmentalScore":7.8,"environmentalSeverity":"HIGH","integrityImpact":"HIGH","modifiedAttackComplexity":"LOW","modifiedAttackVector":"LOCAL","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"REQUIRED","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":7.8,"temporalSeverity":"HIGH","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","version":"3.1"},"products":["pillow@vers:pypi/>=1.0|<=7.0.0"]}],"title":"CVE-2020-10379/pkg:pypi/pillow@5.4.1"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2023-44271"]}],"cve":"CVE-2023-44271","cwe":{"id":"400","name":"Uncontrolled Resource Consumption"},"discovery_date":"2023-11-03T06:36:30","ids":[{"system_name":"CVE Record","text":"CVE-2023-44271"},{"system_name":"GitHub Advisory","text":"PYSEC-2023-227"}],"notes":[{"audience":"developers","category":"other","text":"Allocation of Resources Without Limits or Throttling","title":"Additional CWE: 770"},{"category":"description","details":"Vulnerability Description","text":"Pillow Denial of Service vulnerability"},{"category":"details","details":"Vulnerability Details","text":"# Pillow Denial of Service vulnerability An issue was discovered in Pillow before 10.0.0. It is a Denial of Service that uncontrollably allocates memory to process a given task, potentially causing a service to crash by having it run out of memory. This occurs for truetype in ImageFont when textlength in an ImageDraw instance operates on a long text argument.  ## Related CVE(s) BIT-pillow-2023-44271, CVE-2023-44271, PYSEC-2023-227"},{"category":"other","text":"Update to version 10.0.0 to resolve CVE-2023-44271 or update to version 10.3.0 to resolve additional vulnerabilities for this package.","title":"Recommended Action"}],"product_status":{"known_affected":["pillow@vers:pypi/>=1.0|<=9.5.0"],"known_not_affected":["pillow@10.0.0"]},"references":[{"summary":"CVE Record","url":"https://devhub.checkmarx.com/cve-details/CVE-2023-44271"},{"summary":"GitHub Advisory","url":"https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2023-227.yaml"},{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2024/03/msg00021.html"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N2JOEDUJDQLCUII2LQYZYSM7RJL2I3P4"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-44271"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","environmentalScore":7.5,"environmentalSeverity":"HIGH","integrityImpact":"NONE","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"NONE","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":7.5,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"},"products":["pillow@vers:pypi/>=1.0|<=9.5.0"]}],"title":"CVE-2023-44271/pkg:pypi/pillow@5.4.1"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2022-22817"]}],"cve":"CVE-2022-22817","cwe":{"id":"74","name":"Improper Neutralization of Special Elements in Output Used by a Downstream Component"},"discovery_date":"2022-01-12T20:07:33","ids":[{"system_name":"CVE Record","text":"CVE-2022-22817"},{"system_name":"Debian Advisory","text":"DSA-5053"},{"system_name":"GitHub Advisory","text":"GHSA-8VJ2-VXX3-667W"},{"system_name":"Gentoo Advisory","text":"GLSA-202211-10"},{"system_name":"GitHub Advisory","text":"PYSEC-2022-10"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Arbitrary expression injection in Pillow"},{"category":"details","details":"Vulnerability Details","text":"# Arbitrary expression injection in Pillow `PIL.ImageMath.eval` in Pillow before 9.0.0 allows evaluation of arbitrary expressions, such as ones that use the Python exec method `ImageMath.eval(\"exec(exit())\")`.  While Pillow 9.0.0 restricted top-level builtins available to PIL.ImageMath.eval(), it did not prevent builtins available to lambda expressions. These are now also restricted in 9.0.1.  ## Related CVE(s) BIT-pillow-2022-22817, CVE-2022-22817, PYSEC-2022-10"},{"category":"other","text":"Update to version 9.0.0 to resolve CVE-2022-22817 or update to version 10.3.0 to resolve additional vulnerabilities for this package.","title":"Recommended Action"}],"product_status":{"known_affected":["pillow@vers:pypi/>=1.0|<=9.0.0"],"known_not_affected":["pillow@9.0.0"]},"references":[{"summary":"GitHub Advisory","url":"https://github.com/advisories/GHSA-8vj2-vxx3-667w"},{"summary":"GitHub Advisory","url":"https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2022-10.yaml"},{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2022/01/msg00018.html"},{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2024/03/msg00021.html"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-22817"},{"summary":"Gentoo Advisory","url":"https://security.gentoo.org/glsa/202211-10"},{"summary":"Debian Advisory","url":"https://www.debian.org/security/2022/dsa-5053"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":9.8,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","environmentalScore":9.8,"environmentalSeverity":"CRITICAL","integrityImpact":"HIGH","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":9.8,"temporalSeverity":"CRITICAL","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"products":["pillow@vers:pypi/>=1.0|<=9.0.0"]}],"title":"CVE-2022-22817/pkg:pypi/pillow@5.4.1"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2021-25290"]}],"cve":"CVE-2021-25290","cwe":{"id":"787","name":"Out-of-bounds Write"},"discovery_date":"2021-03-29T16:35:36","ids":[{"system_name":"CVE Record","text":"CVE-2021-25290"},{"system_name":"GitHub Advisory","text":"GHSA-8XJQ-8FCG-G5HW"},{"system_name":"Gentoo Advisory","text":"GLSA-202107-33"},{"system_name":"GitHub Advisory","text":"PYSEC-2021-36"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Out-of-bounds Write in Pillow"},{"category":"details","details":"Vulnerability Details","text":"# Out-of-bounds Write in Pillow An issue was discovered in Pillow before 8.1.1. In TiffDecode.c, there is a negative-offset memcpy with an invalid size.  ## Related CVE(s) BIT-pillow-2021-25290, CVE-2021-25290, PYSEC-2021-36"},{"category":"other","text":"Update to version 8.1.1 to resolve CVE-2021-25290 or update to version 10.3.0 to resolve additional vulnerabilities for this package.","title":"Recommended Action"}],"product_status":{"known_affected":["pillow@vers:pypi/>=1.0|<=8.1.0"],"known_not_affected":["pillow@8.1.1"]},"references":[{"summary":"GitHub Advisory","url":"https://github.com/advisories/GHSA-8xjq-8fcg-g5hw"},{"summary":"GitHub Advisory","url":"https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2021-36.yaml"},{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2021/07/msg00018.html"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-25290"},{"summary":"Gentoo Advisory","url":"https://security.gentoo.org/glsa/202107-33"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","environmentalScore":7.5,"environmentalSeverity":"HIGH","integrityImpact":"NONE","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"NONE","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":7.5,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"},"products":["pillow@vers:pypi/>=1.0|<=8.1.0"]}],"title":"CVE-2021-25290/pkg:pypi/pillow@5.4.1"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2021-27923"]}],"cve":"CVE-2021-27923","cwe":{"id":"400","name":"Uncontrolled Resource Consumption"},"discovery_date":"2021-03-18T19:54:43","ids":[{"system_name":"CVE Record","text":"CVE-2021-27923"},{"system_name":"GitHub Advisory","text":"GHSA-95Q3-8GR9-GM8W"},{"system_name":"Gentoo Advisory","text":"GLSA-202107-33"},{"system_name":"GitHub Advisory","text":"PYSEC-2021-42"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Pillow Denial of Service by Uncontrolled Resource Consumption"},{"category":"details","details":"Vulnerability Details","text":"# Pillow Denial of Service by Uncontrolled Resource Consumption Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICO container, and thus an attempted memory allocation can be very large.  ## Related CVE(s) BIT-pillow-2021-27923, CVE-2021-27923, PYSEC-2021-42"},{"category":"other","text":"Update to version 8.1.1 to resolve CVE-2021-27923 or update to version 10.3.0 to resolve additional vulnerabilities for this package.","title":"Recommended Action"}],"product_status":{"known_affected":["pillow@vers:pypi/>=1.0|<=8.1.0"],"known_not_affected":["pillow@8.1.1"]},"references":[{"summary":"GitHub Advisory","url":"https://github.com/advisories/GHSA-95q3-8gr9-gm8w"},{"summary":"GitHub Advisory","url":"https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2021-42.yaml"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S7G44Z33J4BNI2DPDROHWGVG2U7ZH5JU"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TQQY6472RX4J2SUJENWDZAWKTJJGP2ML"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZTSY25UJU7NJUFHH3HWT575LT4TDFWBZ"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-27923"},{"summary":"Gentoo Advisory","url":"https://security.gentoo.org/glsa/202107-33"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","environmentalScore":7.5,"environmentalSeverity":"HIGH","integrityImpact":"NONE","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"NONE","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":7.5,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"},"products":["pillow@vers:pypi/>=1.0|<=8.1.0"]}],"title":"CVE-2021-27923/pkg:pypi/pillow@5.4.1"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2021-23437"]}],"cve":"CVE-2021-23437","cwe":{"id":"125","name":"Out-of-bounds Read"},"discovery_date":"2021-09-07T23:08:10","ids":[{"system_name":"CVE Record","text":"CVE-2021-23437"},{"system_name":"GitHub Advisory","text":"GHSA-98VV-PW6R-Q6Q4"},{"system_name":"Gentoo Advisory","text":"GLSA-202211-10"},{"system_name":"GitHub Advisory","text":"PYSEC-2021-317"},{"system_name":"Snyk Advisory","text":"SNYK-PYTHON-PILLOW-1319443"}],"notes":[{"audience":"developers","category":"other","text":"Uncontrolled Resource Consumption","title":"Additional CWE: 400"},{"category":"description","details":"Vulnerability Description","text":"Uncontrolled Resource Consumption in pillow"},{"category":"details","details":"Vulnerability Details","text":"# Uncontrolled Resource Consumption in pillow The package pillow 5.2.0 and before 8.3.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the getrgb function.  ## Related CVE(s) BIT-pillow-2021-23437, CVE-2021-23437, PYSEC-2021-317, SNYK-PYTHON-PILLOW-1319443"},{"category":"other","text":"Update to version 8.3.2 to resolve CVE-2021-23437 or update to version 10.3.0 to resolve additional vulnerabilities for this package.","title":"Recommended Action"}],"product_status":{"known_affected":["pillow@vers:pypi/>=5.2.0|<8.3.2"],"known_not_affected":["pillow@8.3.2"]},"references":[{"summary":"GitHub Advisory","url":"https://github.com/advisories/GHSA-98vv-pw6r-q6q4"},{"summary":"GitHub Advisory","url":"https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2021-317.yaml"},{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2024/03/msg00021.html"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RNSG6VFXTAROGF7ACYLMAZNQV4EJ6I2C"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VKRCL7KKAKOXCVD7M6WC5OKFGL4L3SJT"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RNSG6VFXTAROGF7ACYLMAZNQV4EJ6I2C"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VKRCL7KKAKOXCVD7M6WC5OKFGL4L3SJT"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-23437"},{"summary":"Gentoo Advisory","url":"https://security.gentoo.org/glsa/202211-10"},{"summary":"Snyk Advisory","url":"https://snyk.io/vuln/SNYK-PYTHON-PILLOW-1319443"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","environmentalScore":7.5,"environmentalSeverity":"HIGH","integrityImpact":"NONE","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"NONE","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":7.5,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"},"products":["pillow@vers:pypi/>=5.2.0|<8.3.2"]}],"title":"CVE-2021-23437/pkg:pypi/pillow@5.4.1"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2021-25292"]}],"cve":"CVE-2021-25292","cwe":{"id":"400","name":"Uncontrolled Resource Consumption"},"discovery_date":"2021-03-29T16:35:46","ids":[{"system_name":"CVE Record","text":"CVE-2021-25292"},{"system_name":"GitHub Advisory","text":"GHSA-9HX2-HGQ2-2G4F"},{"system_name":"Gentoo Advisory","text":"GLSA-202107-33"},{"system_name":"GitHub Advisory","text":"PYSEC-2021-38"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Regular Expression Denial of Service (ReDoS) in Pillow"},{"category":"details","details":"Vulnerability Details","text":"# Regular Expression Denial of Service (ReDoS) in Pillow An issue was discovered in Pillow before 8.1.1. The PDF parser allows a regular expression DoS (ReDoS) attack via a crafted PDF file because of a catastrophic backtracking regex.  ## Related CVE(s) BIT-pillow-2021-25292, CVE-2021-25292, PYSEC-2021-38"},{"category":"other","text":"Update to version 8.1.1 to resolve CVE-2021-25292 or update to version 10.3.0 to resolve additional vulnerabilities for this package.","title":"Recommended Action"}],"product_status":{"known_affected":["pillow@vers:pypi/>=5.1.0|<8.1.1"],"known_not_affected":["pillow@8.1.1"]},"references":[{"summary":"GitHub Advisory","url":"https://github.com/advisories/GHSA-9hx2-hgq2-2g4f"},{"summary":"GitHub Advisory","url":"https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2021-38.yaml"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-25292"},{"summary":"Gentoo Advisory","url":"https://security.gentoo.org/glsa/202107-33"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":6.5,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","environmentalScore":6.5,"environmentalSeverity":"MEDIUM","integrityImpact":"NONE","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"NONE","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"REQUIRED","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":6.5,"temporalSeverity":"MEDIUM","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","version":"3.1"},"products":["pillow@vers:pypi/>=5.1.0|<8.1.1"]}],"title":"CVE-2021-25292/pkg:pypi/pillow@5.4.1"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2022-24303"]}],"cve":"CVE-2022-24303","cwe":{"id":"22","name":"Improper Limitation of a Pathname to a Restricted Directory"},"discovery_date":"2022-03-11T23:10:32","ids":[{"system_name":"CVE Record","text":"CVE-2022-24303"},{"system_name":"GitHub Advisory","text":"GHSA-9J59-75QJ-795W"},{"system_name":"Gentoo Advisory","text":"GLSA-202211-10"},{"system_name":"GitHub Advisory","text":"PYSEC-2022-168"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Path traversal in Pillow"},{"category":"details","details":"Vulnerability Details","text":"# Path traversal in Pillow Pillow before 9.0.1 allows attackers to delete files because spaces in temporary pathnames are mishandled.  ## Related CVE(s) BIT-pillow-2022-24303, CVE-2022-24303, PYSEC-2022-168"},{"category":"other","text":"Update to version 9.0.1 to resolve CVE-2022-24303 or update to version 10.3.0 to resolve additional vulnerabilities for this package.","title":"Recommended Action"}],"product_status":{"known_affected":["pillow@vers:pypi/>=1.0|<=9.0.0"],"known_not_affected":["pillow@9.0.1"]},"references":[{"summary":"GitHub Advisory","url":"https://github.com/advisories/GHSA-9j59-75qj-795w"},{"summary":"GitHub Advisory","url":"https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2022-168.yaml"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W4ZUXPKEX72O3E5IHBPVY5ZCPMJ4GHHV"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XR6UP2XONXOVXI4446VY72R63YRO2YTP"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24303"},{"summary":"Gentoo Advisory","url":"https://security.gentoo.org/glsa/202211-10"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":9.1,"baseSeverity":"CRITICAL","confidentialityImpact":"NONE","environmentalScore":9.1,"environmentalSeverity":"CRITICAL","integrityImpact":"HIGH","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"NONE","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":9.1,"temporalSeverity":"CRITICAL","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H","version":"3.1"},"products":["pillow@vers:pypi/>=1.0|<=9.0.0"]}],"title":"CVE-2022-24303/pkg:pypi/pillow@5.4.1"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2020-10177"]}],"cve":"CVE-2020-10177","cwe":{"id":"125","name":"Out-of-bounds Read"},"discovery_date":"2020-07-27T21:52:43","ids":[{"system_name":"CVE Record","text":"CVE-2020-10177"},{"system_name":"GitHub Advisory","text":"GHSA-CQHG-XJHH-P8HF"},{"system_name":"GitHub Advisory","text":"PYSEC-2020-76"},{"system_name":"Snyk Advisory","text":"SNYK-PYTHON-PILLOW-574573"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Out-of-bounds reads in Pillow"},{"category":"details","details":"Vulnerability Details","text":"# Out-of-bounds reads in Pillow Pillow before 7.1.0 has multiple out-of-bounds reads in `libImaging/FliDecode.c`.  ## Related CVE(s) BIT-pillow-2020-10177, CVE-2020-10177, PYSEC-2020-76"},{"category":"other","text":"Update to version 7.1.0 to resolve CVE-2020-10177 or update to version 10.3.0 to resolve additional vulnerabilities for this package.","title":"Recommended Action"}],"product_status":{"known_affected":["pillow@vers:pypi/>=1.0|<=7.0.0"],"known_not_affected":["pillow@7.1.0"]},"references":[{"summary":"GitHub Advisory","url":"https://github.com/advisories/GHSA-cqhg-xjhh-p8hf"},{"summary":"GitHub Advisory","url":"https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2020-76.yaml"},{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2020/08/msg00012.html"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BEBCPE4F2VHTIT6EZA2YZQZLPVDEBJGD"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HOKHNWV2VS5GESY7IBD237E7C6T3I427"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-10177"},{"summary":"Snyk Advisory","url":"https://snyk.io/vuln/SNYK-PYTHON-PILLOW-574573"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"LOCAL","availabilityImpact":"NONE","baseScore":5.5,"baseSeverity":"MEDIUM","confidentialityImpact":"HIGH","environmentalScore":5.5,"environmentalSeverity":"MEDIUM","integrityImpact":"NONE","modifiedAttackComplexity":"LOW","modifiedAttackVector":"LOCAL","modifiedAvailabilityImpact":"NONE","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"REQUIRED","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":5.5,"temporalSeverity":"MEDIUM","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N","version":"3.1"},"products":["pillow@vers:pypi/>=1.0|<=7.0.0"]}],"title":"CVE-2020-10177/pkg:pypi/pillow@5.4.1"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2021-27921"]}],"cve":"CVE-2021-27921","cwe":{"id":"400","name":"Uncontrolled Resource Consumption"},"discovery_date":"2021-03-18T19:55:13","ids":[{"system_name":"CVE Record","text":"CVE-2021-27921"},{"system_name":"GitHub Advisory","text":"GHSA-F4W8-CV6P-X6R5"},{"system_name":"Gentoo Advisory","text":"GLSA-202107-33"},{"system_name":"GitHub Advisory","text":"PYSEC-2021-40"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Pillow Denial of Service by Uncontrolled Resource Consumption"},{"category":"details","details":"Vulnerability Details","text":"# Pillow Denial of Service by Uncontrolled Resource Consumption Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for a BLP container, and thus an attempted memory allocation can be very large.  ## Related CVE(s) BIT-pillow-2021-27921, CVE-2021-27921, PYSEC-2021-40"},{"category":"other","text":"Update to version 8.1.1 to resolve CVE-2021-27921 or update to version 10.3.0 to resolve additional vulnerabilities for this package.","title":"Recommended Action"}],"product_status":{"known_affected":["pillow@vers:pypi/>=1.0|<=8.1.0"],"known_not_affected":["pillow@8.1.1"]},"references":[{"summary":"GitHub Advisory","url":"https://github.com/advisories/GHSA-f4w8-cv6p-x6r5"},{"summary":"GitHub Advisory","url":"https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2021-40.yaml"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S7G44Z33J4BNI2DPDROHWGVG2U7ZH5JU"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TQQY6472RX4J2SUJENWDZAWKTJJGP2ML"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZTSY25UJU7NJUFHH3HWT575LT4TDFWBZ"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-27921"},{"summary":"Gentoo Advisory","url":"https://security.gentoo.org/glsa/202107-33"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","environmentalScore":7.5,"environmentalSeverity":"HIGH","integrityImpact":"NONE","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"NONE","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":7.5,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"},"products":["pillow@vers:pypi/>=1.0|<=8.1.0"]}],"title":"CVE-2021-27921/pkg:pypi/pillow@5.4.1"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2020-35653"]}],"cve":"CVE-2020-35653","cwe":{"id":"125","name":"Out-of-bounds Read"},"discovery_date":"2021-03-18T19:55:41","ids":[{"system_name":"CVE Record","text":"CVE-2020-35653"},{"system_name":"GitHub Advisory","text":"GHSA-F5G8-5QQ7-938W"},{"system_name":"GitHub Advisory","text":"PYSEC-2021-69"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Pillow Out-of-bounds Read"},{"category":"details","details":"Vulnerability Details","text":"# Pillow Out-of-bounds Read In Pillow before 8.1.0, PcxDecode has a buffer over-read when decoding a crafted PCX file because the user-supplied stride value is trusted for buffer calculations.  ## Related CVE(s) BIT-pillow-2020-35653, CVE-2020-35653, PYSEC-2021-69"},{"category":"other","text":"Update to version 8.1.0 to resolve CVE-2020-35653 or update to version 10.3.0 to resolve additional vulnerabilities for this package.","title":"Recommended Action"}],"product_status":{"known_affected":["pillow@vers:pypi/>=1.0|<=8.0.1"],"known_not_affected":["pillow@8.1.0"]},"references":[{"summary":"GitHub Advisory","url":"https://github.com/advisories/GHSA-f5g8-5qq7-938w"},{"summary":"GitHub Advisory","url":"https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2021-69.yaml"},{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2021/07/msg00018.html"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6BYVI5G44MRIPERKYDQEL3S3YQCZTVHE"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BF553AMNNNBW7SH4IM4MNE4M6GNZQ7YD"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-35653"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.1,"baseSeverity":"HIGH","confidentialityImpact":"LOW","environmentalScore":7.1,"environmentalSeverity":"HIGH","integrityImpact":"NONE","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"LOW","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"REQUIRED","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":7.1,"temporalSeverity":"HIGH","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H","version":"3.1"},"products":["pillow@vers:pypi/>=1.0|<=8.0.1"]}],"title":"CVE-2020-35653/pkg:pypi/pillow@5.4.1"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2021-28675"]}],"cve":"CVE-2021-28675","cwe":{"id":"233","name":"Improper Handling of Parameters"},"discovery_date":"2021-06-08T18:49:11","ids":[{"system_name":"CVE Record","text":"CVE-2021-28675"},{"system_name":"GitHub Advisory","text":"GHSA-G6RJ-RV7J-XWP4"},{"system_name":"Gentoo Advisory","text":"GLSA-202107-33"},{"system_name":"GitHub Advisory","text":"PYSEC-2021-139"}],"notes":[{"audience":"developers","category":"other","text":"Unchecked Return Value","title":"Additional CWE: 252"},{"category":"description","details":"Vulnerability Description","text":"Pillow denial of service"},{"category":"details","details":"Vulnerability Details","text":"# Pillow denial of service An issue was discovered in Pillow before 8.2.0. `PSDImagePlugin.PsdImageFile` lacked a sanity check on the number of input layers relative to the size of the data block. This could lead to a DoS on `Image.open` prior to `Image.load`.  ## Related CVE(s) BIT-pillow-2021-28675, CVE-2021-28675, PYSEC-2021-139"},{"category":"other","text":"Update to version 8.2.0 to resolve CVE-2021-28675 or update to version 10.3.0 to resolve additional vulnerabilities for this package.","title":"Recommended Action"}],"product_status":{"known_affected":["pillow@vers:pypi/>=1.0|<=8.1.2"],"known_not_affected":["pillow@8.2.0"]},"references":[{"summary":"GitHub Advisory","url":"https://github.com/advisories/GHSA-g6rj-rv7j-xwp4"},{"summary":"GitHub Advisory","url":"https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2021-139.yaml"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-28675"},{"summary":"Gentoo Advisory","url":"https://security.gentoo.org/glsa/202107-33"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"LOCAL","availabilityImpact":"HIGH","baseScore":5.5,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","environmentalScore":5.5,"environmentalSeverity":"MEDIUM","integrityImpact":"NONE","modifiedAttackComplexity":"LOW","modifiedAttackVector":"LOCAL","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"NONE","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"REQUIRED","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":5.5,"temporalSeverity":"MEDIUM","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","version":"3.1"},"products":["pillow@vers:pypi/>=1.0|<=8.1.2"]}],"title":"CVE-2021-28675/pkg:pypi/pillow@5.4.1"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2020-35655"]}],"cve":"CVE-2020-35655","cwe":{"id":"125","name":"Out-of-bounds Read"},"discovery_date":"2021-03-18T19:55:34","ids":[{"system_name":"CVE Record","text":"CVE-2020-35655"},{"system_name":"GitHub Advisory","text":"GHSA-HF64-X4GQ-P99H"},{"system_name":"GitHub Advisory","text":"PYSEC-2021-71"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Pillow Out-of-bounds Read"},{"category":"details","details":"Vulnerability Details","text":"# Pillow Out-of-bounds Read In Pillow before 8.1.0, SGIRleDecode has a 4-byte buffer over-read when decoding crafted SGI RLE image files because offsets and length tables are mishandled.  ## Related CVE(s) BIT-pillow-2020-35655, CVE-2020-35655, PYSEC-2021-71"},{"category":"other","text":"Update to version 8.1.0 to resolve CVE-2020-35655 or update to version 10.3.0 to resolve additional vulnerabilities for this package.","title":"Recommended Action"}],"product_status":{"known_affected":["pillow@vers:pypi/>=4.3.0|<8.1.0"],"known_not_affected":["pillow@8.1.0"]},"references":[{"summary":"GitHub Advisory","url":"https://github.com/advisories/GHSA-hf64-x4gq-p99h"},{"summary":"GitHub Advisory","url":"https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2021-71.yaml"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6BYVI5G44MRIPERKYDQEL3S3YQCZTVHE"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BF553AMNNNBW7SH4IM4MNE4M6GNZQ7YD"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-35655"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"LOW","baseScore":5.4,"baseSeverity":"MEDIUM","confidentialityImpact":"LOW","environmentalScore":5.4,"environmentalSeverity":"MEDIUM","integrityImpact":"NONE","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"LOW","modifiedConfidentialityImpact":"LOW","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"REQUIRED","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":5.4,"temporalSeverity":"MEDIUM","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L","version":"3.1"},"products":["pillow@vers:pypi/>=4.3.0|<8.1.0"]}],"title":"CVE-2020-35655/pkg:pypi/pillow@5.4.1"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2020-5313"]}],"cve":"CVE-2020-5313","cwe":{"id":"125","name":"Out-of-bounds Read"},"discovery_date":"2020-04-01T16:36:00","ids":[{"system_name":"CVE Record","text":"CVE-2020-5313"},{"system_name":"Debian Advisory","text":"DSA-4631"},{"system_name":"GitHub Advisory","text":"GHSA-HJ69-C76V-86WR"},{"system_name":"GitHub Advisory","text":"PYSEC-2020-84"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Out-of-bounds Read in Pillow"},{"category":"details","details":"Vulnerability Details","text":"# Out-of-bounds Read in Pillow `libImaging/FliDecode.c` in Pillow before 6.2.2 has an FLI buffer overflow.  ## Related CVE(s) BIT-pillow-2020-5313, CVE-2020-5313, PYSEC-2020-84"},{"category":"other","text":"Update to version 6.2.2 to resolve CVE-2020-5313 or update to version 10.3.0 to resolve additional vulnerabilities for this package.","title":"Recommended Action"}],"product_status":{"known_affected":["pillow@vers:pypi/>=1.0|<=6.2.1"],"known_not_affected":["pillow@6.2.2"]},"references":[{"summary":"GitHub Advisory","url":"https://github.com/advisories/GHSA-hj69-c76v-86wr"},{"summary":"GitHub Advisory","url":"https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2020-84.yaml"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2MMU3WT2X64GS5WHDPKKC2WZA7UIIQ3A"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3DUMIBUYGJRAVJCTFUWBRLVQKOUTVX5P"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-5313"},{"summary":"Debian Advisory","url":"https://www.debian.org/security/2020/dsa-4631"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.1,"baseSeverity":"HIGH","confidentialityImpact":"LOW","environmentalScore":7.1,"environmentalSeverity":"HIGH","integrityImpact":"NONE","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"LOW","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"REQUIRED","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":7.1,"temporalSeverity":"HIGH","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H","version":"3.1"},"products":["pillow@vers:pypi/>=1.0|<=6.2.1"]}],"title":"CVE-2020-5313/pkg:pypi/pillow@5.4.1"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2021-28678"]}],"cve":"CVE-2021-28678","cwe":{"id":"345","name":"Insufficient Verification of Data Authenticity"},"discovery_date":"2021-06-08T18:49:20","ids":[{"system_name":"CVE Record","text":"CVE-2021-28678"},{"system_name":"GitHub Advisory","text":"GHSA-HJFX-8P6C-G7GX"},{"system_name":"Gentoo Advisory","text":"GLSA-202107-33"},{"system_name":"GitHub Advisory","text":"PYSEC-2021-94"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Insufficient Verification of Data Authenticity in Pillow"},{"category":"details","details":"Vulnerability Details","text":"# Insufficient Verification of Data Authenticity in Pillow An issue was discovered in Pillow before 8.2.0. For BLP data, BlpImagePlugin did not properly check that reads (after jumping to file offsets) returned data. This could lead to a DoS where the decoder could be run a large number of times on empty data.  ## Related CVE(s) BIT-pillow-2021-28678, CVE-2021-28678, PYSEC-2021-94"},{"category":"other","text":"Update to version 8.2.0 to resolve CVE-2021-28678 or update to version 10.3.0 to resolve additional vulnerabilities for this package.","title":"Recommended Action"}],"product_status":{"known_affected":["pillow@vers:pypi/>=5.1.0|<8.2.0"],"known_not_affected":["pillow@8.2.0"]},"references":[{"summary":"GitHub Advisory","url":"https://github.com/advisories/GHSA-hjfx-8p6c-g7gx"},{"summary":"GitHub Advisory","url":"https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2021-94.yaml"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-28678"},{"summary":"Gentoo Advisory","url":"https://security.gentoo.org/glsa/202107-33"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"LOCAL","availabilityImpact":"HIGH","baseScore":5.5,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","environmentalScore":5.5,"environmentalSeverity":"MEDIUM","integrityImpact":"NONE","modifiedAttackComplexity":"LOW","modifiedAttackVector":"LOCAL","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"NONE","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"REQUIRED","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":5.5,"temporalSeverity":"MEDIUM","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","version":"3.1"},"products":["pillow@vers:pypi/>=5.1.0|<8.2.0"]}],"title":"CVE-2021-28678/pkg:pypi/pillow@5.4.1"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2019-16865"]}],"cve":"CVE-2019-16865","cwe":{"id":"770","name":"Allocation of Resources Without Limits or Throttling"},"discovery_date":"2019-10-22T14:40:42","ids":[{"system_name":"CVE Record","text":"CVE-2019-16865"},{"system_name":"Debian Advisory","text":"DSA-4631"},{"system_name":"GitHub Advisory","text":"GHSA-J7MJ-748X-7P78"},{"system_name":"GitHub Advisory","text":"PYSEC-2019-110"},{"system_name":"Red Hat Advisory","text":"RHSA-2020:0566"},{"system_name":"Red Hat Advisory","text":"RHSA-2020:0578"},{"system_name":"Red Hat Advisory","text":"RHSA-2020:0580"},{"system_name":"Red Hat Advisory","text":"RHSA-2020:0681"},{"system_name":"Red Hat Advisory","text":"RHSA-2020:0683"},{"system_name":"Red Hat Advisory","text":"RHSA-2020:0694"},{"system_name":"Ubuntu Advisory","text":"USN-4272-1"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"DOS attack in Pillow when processing specially crafted image files"},{"category":"details","details":"Vulnerability Details","text":"# DOS attack in Pillow when processing specially crafted image files An issue was discovered in Pillow before 6.2.0. When reading specially crafted invalid image files, the library can either allocate very large amounts of memory or take an extremely long period of time to process the image.  ## Related CVE(s) CVE-2019-16865, PYSEC-2019-110"},{"category":"other","text":"Update to version 6.2.0 to resolve CVE-2019-16865 or update to version 10.3.0 to resolve additional vulnerabilities for this package.","title":"Recommended Action"}],"product_status":{"known_affected":["pillow@vers:pypi/>=1.0|<=6.1.0"],"known_not_affected":["pillow@6.2.0"]},"references":[{"summary":"Red Hat Advisory","url":"https://access.redhat.com/errata/RHSA-2020:0566"},{"summary":"Red Hat Advisory","url":"https://access.redhat.com/errata/RHSA-2020:0578"},{"summary":"Red Hat Advisory","url":"https://access.redhat.com/errata/RHSA-2020:0580"},{"summary":"Red Hat Advisory","url":"https://access.redhat.com/errata/RHSA-2020:0681"},{"summary":"Red Hat Advisory","url":"https://access.redhat.com/errata/RHSA-2020:0683"},{"summary":"Red Hat Advisory","url":"https://access.redhat.com/errata/RHSA-2020:0694"},{"summary":"GitHub Advisory","url":"https://github.com/advisories/GHSA-j7mj-748x-7p78"},{"summary":"GitHub Advisory","url":"https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2019-110.yaml"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EMJBUZQGQ2Q7HXYCQVRLU7OXNC7CAWWU"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYDXD7EE4YAEVSTNIFZKNVPRVJX5ZOG3"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2019-16865"},{"summary":"Ubuntu Advisory","url":"https://ubuntu.com/security/notices/USN-4272-1"},{"summary":"Debian Advisory","url":"https://www.debian.org/security/2020/dsa-4631"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","environmentalScore":7.5,"environmentalSeverity":"HIGH","integrityImpact":"NONE","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"NONE","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":7.5,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"},"products":["pillow@vers:pypi/>=1.0|<=6.1.0"]}],"title":"CVE-2019-16865/pkg:pypi/pillow@5.4.1"},{"acknowledgements":[{"organization":"GitHub","urls":["https://github.com/calix2/pyVulApp/security/advisories/GHSA-jgpv-4h4c-xhw3"]}],"cwe":{"id":"400","name":"Uncontrolled Resource Consumption"},"discovery_date":"2021-04-23T16:54:36","ids":[{"system_name":"GitHub Advisory","text":"GHSA-JGPV-4H4C-XHW3"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Uncontrolled Resource Consumption in pillow"},{"category":"details","details":"Vulnerability Details","text":"# Uncontrolled Resource Consumption in pillow ### Impact _Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for a BLP container, and thus an attempted memory allocation can be very large._  ### Patches _An issue was discovered in Pillow before 6.2.0. When reading specially crafted invalid image files, the library can either allocate very large amounts of memory or take an extremely long period of time to process the image._  ### Workarounds _An issue was discovered in Pillow before 6.2.0. When reading specially crafted invalid image files, the library can either allocate very large amounts of memory or take an extremely long period of time to process the image._  ### References https://nvd.nist.gov/vuln/detail/CVE-2021-27921  ### For more information If you have any questions or comments about this advisory: * Open an issue in [example link to repo](http://example.com) * Email us at [example email address](mailto:example@example.com)"},{"category":"other","text":"Update to version 8.1.1 to resolve GHSA-jgpv-4h4c-xhw3 or update to version 10.3.0 to resolve additional vulnerabilities for this package.","title":"Recommended Action"}],"product_status":{"known_affected":["pillow@vers:pypi/>=1.0|<=8.1.1"],"known_not_affected":["pillow@8.1.1"]},"references":[{"summary":"GitHub Advisory","url":"https://github.com/calix2/pyVulApp/security/advisories/GHSA-jgpv-4h4c-xhw3"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","environmentalScore":7.5,"environmentalSeverity":"HIGH","integrityImpact":"NONE","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"NONE","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":7.5,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"},"products":["pillow@vers:pypi/>=1.0|<=8.1.1"]}],"title":"GHSA-jgpv-4h4c-xhw3/pkg:pypi/pillow@5.4.1"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2022-45198"]}],"cve":"CVE-2022-45198","cwe":{"id":"409","name":"Improper Handling of Highly Compressed Data"},"discovery_date":"2022-11-14T12:00:15","ids":[{"system_name":"CVE Record","text":"CVE-2022-45198"},{"system_name":"Gentoo Advisory","text":"GLSA-202211-10"},{"system_name":"GitHub Advisory","text":"PYSEC-2022-42979"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Pillow vulnerable to Data Amplification attack."},{"category":"details","details":"Vulnerability Details","text":"# Pillow vulnerable to Data Amplification attack. Pillow before 9.2.0 performs Improper Handling of Highly Compressed GIF Data (Data Amplification).  ## Related CVE(s) BIT-pillow-2022-45198, CVE-2022-45198, PYSEC-2022-42979"},{"category":"other","text":"Update to version 9.2.0 to resolve CVE-2022-45198 or update to version 10.3.0 to resolve additional vulnerabilities for this package.","title":"Recommended Action"}],"product_status":{"known_affected":["pillow@vers:pypi/>=1.0|<=9.1.1"],"known_not_affected":["pillow@9.2.0"]},"references":[{"summary":"GitHub Advisory","url":"https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2022-42979.yaml"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-45198"},{"summary":"Gentoo Advisory","url":"https://security.gentoo.org/glsa/202211-10"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","environmentalScore":7.5,"environmentalSeverity":"HIGH","integrityImpact":"NONE","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"NONE","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":7.5,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"},"products":["pillow@vers:pypi/>=1.0|<=9.1.1"]}],"title":"CVE-2022-45198/pkg:pypi/pillow@5.4.1"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2021-25291"]}],"cve":"CVE-2021-25291","cwe":{"id":"125","name":"Out-of-bounds Read"},"discovery_date":"2021-03-29T16:35:57","ids":[{"system_name":"CVE Record","text":"CVE-2021-25291"},{"system_name":"GitHub Advisory","text":"GHSA-MVG9-XFFR-P774"},{"system_name":"Gentoo Advisory","text":"GLSA-202107-33"},{"system_name":"GitHub Advisory","text":"PYSEC-2021-37"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Out of bounds read in Pillow"},{"category":"details","details":"Vulnerability Details","text":"# Out of bounds read in Pillow An issue was discovered in Pillow before 8.2.0. In `TiffDecode.c`, there is an out-of-bounds read in `TiffreadRGBATile` via invalid tile boundaries.  ## Related CVE(s) BIT-pillow-2021-25291, CVE-2021-25291, PYSEC-2021-37"},{"category":"other","text":"Update to version 8.2.0 to resolve CVE-2021-25291 or update to version 10.3.0 to resolve additional vulnerabilities for this package.","title":"Recommended Action"}],"product_status":{"known_affected":["pillow@vers:pypi/>=1.0|<=8.1.2"],"known_not_affected":["pillow@8.2.0"]},"references":[{"summary":"GitHub Advisory","url":"https://github.com/advisories/GHSA-mvg9-xffr-p774"},{"summary":"GitHub Advisory","url":"https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2021-37.yaml"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-25291"},{"summary":"Gentoo Advisory","url":"https://security.gentoo.org/glsa/202107-33"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","environmentalScore":7.5,"environmentalSeverity":"HIGH","integrityImpact":"NONE","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"NONE","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":7.5,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"},"products":["pillow@vers:pypi/>=1.0|<=8.1.2"]}],"title":"CVE-2021-25291/pkg:pypi/pillow@5.4.1"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2021-25293"]}],"cve":"CVE-2021-25293","cwe":{"id":"125","name":"Out-of-bounds Read"},"discovery_date":"2021-03-29T16:35:27","ids":[{"system_name":"CVE Record","text":"CVE-2021-25293"},{"system_name":"GitHub Advisory","text":"GHSA-P43W-G3C5-G5MQ"},{"system_name":"Gentoo Advisory","text":"GLSA-202107-33"},{"system_name":"GitHub Advisory","text":"PYSEC-2021-39"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Out of bounds read in Pillow"},{"category":"details","details":"Vulnerability Details","text":"# Out of bounds read in Pillow An issue was discovered in Pillow before 8.1.1. There is an out-of-bounds read in SGIRleDecode.c.  ## Related CVE(s) BIT-pillow-2021-25293, CVE-2021-25293, PYSEC-2021-39"},{"category":"other","text":"Update to version 8.1.1 to resolve CVE-2021-25293 or update to version 10.3.0 to resolve additional vulnerabilities for this package.","title":"Recommended Action"}],"product_status":{"known_affected":["pillow@vers:pypi/>=4.3.0|<8.1.1"],"known_not_affected":["pillow@8.1.1"]},"references":[{"summary":"GitHub Advisory","url":"https://github.com/advisories/GHSA-p43w-g3c5-g5mq"},{"summary":"GitHub Advisory","url":"https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2021-39.yaml"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-25293"},{"summary":"Gentoo Advisory","url":"https://security.gentoo.org/glsa/202107-33"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","environmentalScore":7.5,"environmentalSeverity":"HIGH","integrityImpact":"NONE","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"NONE","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":7.5,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"},"products":["pillow@vers:pypi/>=4.3.0|<8.1.1"]}],"title":"CVE-2021-25293/pkg:pypi/pillow@5.4.1"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2020-5312"]}],"cve":"CVE-2020-5312","cwe":{"id":"120","name":"Buffer Copy without Checking Size of Input"},"discovery_date":"2021-11-03T18:05:04","ids":[{"system_name":"CVE Record","text":"CVE-2020-5312"},{"system_name":"Debian Advisory","text":"DSA-4631"},{"system_name":"GitHub Advisory","text":"GHSA-P49H-HJVM-JG3H"},{"system_name":"GitHub Advisory","text":"PYSEC-2020-83"},{"system_name":"Red Hat Advisory","text":"RHSA-2020:0566"},{"system_name":"Red Hat Advisory","text":"RHSA-2020:0578"},{"system_name":"Red Hat Advisory","text":"RHSA-2020:0580"},{"system_name":"Red Hat Advisory","text":"RHSA-2020:0681"},{"system_name":"Red Hat Advisory","text":"RHSA-2020:0683"},{"system_name":"Red Hat Advisory","text":"RHSA-2020:0694"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"PCX P mode buffer overflow in Pillow"},{"category":"details","details":"Vulnerability Details","text":"# PCX P mode buffer overflow in Pillow libImaging/PcxDecode.c in Pillow before 6.2.2 has a PCX P mode buffer overflow.  ## Related CVE(s) BIT-pillow-2020-5312, CVE-2020-5312, PYSEC-2020-83"},{"category":"other","text":"Update to version 6.2.2 to resolve CVE-2020-5312 or update to version 10.3.0 to resolve additional vulnerabilities for this package.","title":"Recommended Action"}],"product_status":{"known_affected":["pillow@vers:pypi/>=1.0|<=6.2.1"],"known_not_affected":["pillow@6.2.2"]},"references":[{"summary":"Red Hat Advisory","url":"https://access.redhat.com/errata/RHSA-2020:0566"},{"summary":"Red Hat Advisory","url":"https://access.redhat.com/errata/RHSA-2020:0578"},{"summary":"Red Hat Advisory","url":"https://access.redhat.com/errata/RHSA-2020:0580"},{"summary":"Red Hat Advisory","url":"https://access.redhat.com/errata/RHSA-2020:0681"},{"summary":"Red Hat Advisory","url":"https://access.redhat.com/errata/RHSA-2020:0683"},{"summary":"Red Hat Advisory","url":"https://access.redhat.com/errata/RHSA-2020:0694"},{"summary":"GitHub Advisory","url":"https://github.com/advisories/GHSA-p49h-hjvm-jg3h"},{"summary":"GitHub Advisory","url":"https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2020-83.yaml"},{"summary":"GitHub Advisory","url":"https://github.com/pypa/advisory-db/blob/7872b0a91b4d980f749e6d75a81f8cc1af32829f/vulns/pillow/PYSEC-2020-83.yaml"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2MMU3WT2X64GS5WHDPKKC2WZA7UIIQ3A"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3DUMIBUYGJRAVJCTFUWBRLVQKOUTVX5P"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-5312"},{"summary":"Debian Advisory","url":"https://www.debian.org/security/2020/dsa-4631"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":9.8,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","environmentalScore":9.8,"environmentalSeverity":"CRITICAL","integrityImpact":"HIGH","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":9.8,"temporalSeverity":"CRITICAL","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"products":["pillow@vers:pypi/>=1.0|<=6.2.1"]}],"title":"CVE-2020-5312/pkg:pypi/pillow@5.4.1"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2022-22815"]}],"cve":"CVE-2022-22815","cwe":{"id":"665","name":"Improper Initialization"},"discovery_date":"2022-01-12T20:07:43","ids":[{"system_name":"CVE Record","text":"CVE-2022-22815"},{"system_name":"Debian Advisory","text":"DSA-5053"},{"system_name":"GitHub Advisory","text":"GHSA-PW3C-H7WP-CVHX"},{"system_name":"GitHub Advisory","text":"PYSEC-2022-8"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Improper Initialization in Pillow"},{"category":"details","details":"Vulnerability Details","text":"# Improper Initialization in Pillow Pillow is the friendly PIL (Python Imaging Library) fork. `path_getbbox` in `path.c` in Pillow before 9.0.0 improperly initializes `ImagePath.Path`.  ## Related CVE(s) BIT-pillow-2022-22815, CVE-2022-22815, PYSEC-2022-8"},{"category":"other","text":"Update to version 9.0.0 to resolve CVE-2022-22815 or update to version 10.3.0 to resolve additional vulnerabilities for this package.","title":"Recommended Action"}],"product_status":{"known_affected":["pillow@vers:pypi/>=1.0|<=8.4.0"],"known_not_affected":["pillow@9.0.0"]},"references":[{"summary":"GitHub Advisory","url":"https://github.com/advisories/GHSA-pw3c-h7wp-cvhx"},{"summary":"GitHub Advisory","url":"https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2022-8.yaml"},{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2022/01/msg00018.html"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-22815"},{"summary":"Debian Advisory","url":"https://www.debian.org/security/2022/dsa-5053"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"LOW","baseScore":6.5,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","environmentalScore":6.5,"environmentalSeverity":"MEDIUM","integrityImpact":"LOW","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"LOW","modifiedConfidentialityImpact":"NONE","modifiedIntegrityImpact":"LOW","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":6.5,"temporalSeverity":"MEDIUM","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L","version":"3.1"},"products":["pillow@vers:pypi/>=1.0|<=8.4.0"]}],"title":"CVE-2022-22815/pkg:pypi/pillow@5.4.1"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2021-28677"]}],"cve":"CVE-2021-28677","cwe":{"id":"400","name":"Uncontrolled Resource Consumption"},"discovery_date":"2021-06-08T18:49:36","ids":[{"system_name":"CVE Record","text":"CVE-2021-28677"},{"system_name":"GitHub Advisory","text":"GHSA-Q5HQ-FP76-QMRC"},{"system_name":"Gentoo Advisory","text":"GLSA-202107-33"},{"system_name":"GitHub Advisory","text":"PYSEC-2021-93"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Uncontrolled Resource Consumption in Pillow"},{"category":"details","details":"Vulnerability Details","text":"# Uncontrolled Resource Consumption in Pillow An issue was discovered in Pillow before 8.2.0. For EPS data, the readline implementation used in EPSImageFile has to deal with any combination of   and   as line endings. It used an accidentally quadratic method of accumulating lines while looking for a line ending. A malicious EPS file could use this to perform a DoS of Pillow in the open phase, before an image was accepted for opening.  ## Related CVE(s) BIT-pillow-2021-28677, CVE-2021-28677, PYSEC-2021-93"},{"category":"other","text":"Update to version 8.2.0 to resolve CVE-2021-28677 or update to version 10.3.0 to resolve additional vulnerabilities for this package.","title":"Recommended Action"}],"product_status":{"known_affected":["pillow@vers:pypi/>=1.0|<=8.1.2"],"known_not_affected":["pillow@8.2.0"]},"references":[{"summary":"GitHub Advisory","url":"https://github.com/advisories/GHSA-q5hq-fp76-qmrc"},{"summary":"GitHub Advisory","url":"https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2021-93.yaml"},{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2021/07/msg00018.html"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-28677"},{"summary":"Gentoo Advisory","url":"https://security.gentoo.org/glsa/202107-33"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","environmentalScore":7.5,"environmentalSeverity":"HIGH","integrityImpact":"NONE","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"NONE","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":7.5,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"},"products":["pillow@vers:pypi/>=1.0|<=8.1.2"]}],"title":"CVE-2021-28677/pkg:pypi/pillow@5.4.1"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2020-5311"]}],"cve":"CVE-2020-5311","cwe":{"id":"120","name":"Buffer Copy without Checking Size of Input"},"discovery_date":"2022-05-24T17:05:33","ids":[{"system_name":"CVE Record","text":"CVE-2020-5311"},{"system_name":"Debian Advisory","text":"DSA-4631"},{"system_name":"GitHub Advisory","text":"GHSA-R7RM-8J6H-R933"},{"system_name":"GitHub Advisory","text":"PYSEC-2020-82"},{"system_name":"Red Hat Advisory","text":"RHSA-2020:0566"},{"system_name":"Red Hat Advisory","text":"RHSA-2020:0580"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Buffer Copy without Checking Size of Input in Pillow"},{"category":"details","details":"Vulnerability Details","text":"# Buffer Copy without Checking Size of Input in Pillow `libImaging/SgiRleDecode.c` in Pillow before 6.2.2 has an SGI buffer overflow.  ## Related CVE(s) BIT-pillow-2020-5311, CVE-2020-5311, PYSEC-2020-82"},{"category":"other","text":"Update to version 6.2.2 to resolve CVE-2020-5311 or update to version 10.3.0 to resolve additional vulnerabilities for this package.","title":"Recommended Action"}],"product_status":{"known_affected":["pillow@vers:pypi/>=1.0|<=6.2.1"],"known_not_affected":["pillow@6.2.2"]},"references":[{"summary":"Red Hat Advisory","url":"https://access.redhat.com/errata/RHSA-2020:0566"},{"summary":"Red Hat Advisory","url":"https://access.redhat.com/errata/RHSA-2020:0580"},{"summary":"GitHub Advisory","url":"https://github.com/advisories/GHSA-r7rm-8j6h-r933"},{"summary":"GitHub Advisory","url":"https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2020-82.yaml"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2MMU3WT2X64GS5WHDPKKC2WZA7UIIQ3A"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3DUMIBUYGJRAVJCTFUWBRLVQKOUTVX5P"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-5311"},{"summary":"Debian Advisory","url":"https://www.debian.org/security/2020/dsa-4631"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":9.8,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","environmentalScore":9.8,"environmentalSeverity":"CRITICAL","integrityImpact":"HIGH","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":9.8,"temporalSeverity":"CRITICAL","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"products":["pillow@vers:pypi/>=1.0|<=6.2.1"]}],"title":"CVE-2020-5311/pkg:pypi/pillow@5.4.1"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2021-25288"]}],"cve":"CVE-2021-25288","cwe":{"id":"125","name":"Out-of-bounds Read"},"discovery_date":"2021-06-08T18:49:28","ids":[{"system_name":"CVE Record","text":"CVE-2021-25288"},{"system_name":"GitHub Advisory","text":"GHSA-RWV7-3V45-HG29"},{"system_name":"Gentoo Advisory","text":"GLSA-202107-33"},{"system_name":"GitHub Advisory","text":"PYSEC-2021-138"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Pillow Out-of-bounds Read vulnerability"},{"category":"details","details":"Vulnerability Details","text":"# Pillow Out-of-bounds Read vulnerability An issue was discovered in Pillow before 8.2.0. There is an out-of-bounds read in J2kDecode, in j2ku_gray_i. This dates to Pillow 2.4.0.  ## Related CVE(s) BIT-pillow-2021-25288, CVE-2021-25288, PYSEC-2021-138"},{"category":"other","text":"Update to version 8.2.0 to resolve CVE-2021-25288 or update to version 10.3.0 to resolve additional vulnerabilities for this package.","title":"Recommended Action"}],"product_status":{"known_affected":["pillow@vers:pypi/>=2.4.0|<8.2.0"],"known_not_affected":["pillow@8.2.0"]},"references":[{"summary":"GitHub Advisory","url":"https://github.com/advisories/GHSA-rwv7-3v45-hg29"},{"summary":"GitHub Advisory","url":"https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2021-138.yaml"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-25288"},{"summary":"Gentoo Advisory","url":"https://security.gentoo.org/glsa/202107-33"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":9.1,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","environmentalScore":9.1,"environmentalSeverity":"CRITICAL","integrityImpact":"NONE","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":9.1,"temporalSeverity":"CRITICAL","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H","version":"3.1"},"products":["pillow@vers:pypi/>=2.4.0|<8.2.0"]}],"title":"CVE-2021-25288/pkg:pypi/pillow@5.4.1"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2020-5310"]}],"cve":"CVE-2020-5310","cwe":{"id":"190","name":"Integer Overflow or Wraparound"},"discovery_date":"2021-11-03T18:04:41","ids":[{"system_name":"CVE Record","text":"CVE-2020-5310"},{"system_name":"GitHub Advisory","text":"GHSA-VCQG-3P29-XW73"},{"system_name":"GitHub Advisory","text":"PYSEC-2020-81"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Integer overflow in Pillow"},{"category":"details","details":"Vulnerability Details","text":"# Integer overflow in Pillow `libImaging/TiffDecode.c` in Pillow before 6.2.2 has a TIFF decoding integer overflow, related to realloc.  ## Related CVE(s) BIT-pillow-2020-5310, CVE-2020-5310, PYSEC-2020-81"},{"category":"other","text":"Update to version 6.2.2 to resolve CVE-2020-5310 or update to version 10.3.0 to resolve additional vulnerabilities for this package.","title":"Recommended Action"}],"product_status":{"known_affected":["pillow@vers:pypi/>=1.0|<=6.2.1"],"known_not_affected":["pillow@6.2.2"]},"references":[{"summary":"GitHub Advisory","url":"https://github.com/advisories/GHSA-vcqg-3p29-xw73"},{"summary":"GitHub Advisory","url":"https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2020-81.yaml"},{"summary":"GitHub Advisory","url":"https://github.com/pypa/advisory-db/blob/7872b0a91b4d980f749e6d75a81f8cc1af32829f/vulns/pillow/PYSEC-2020-81.yaml"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2MMU3WT2X64GS5WHDPKKC2WZA7UIIQ3A"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3DUMIBUYGJRAVJCTFUWBRLVQKOUTVX5P"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-5310"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":8.8,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","environmentalScore":8.8,"environmentalSeverity":"HIGH","integrityImpact":"HIGH","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"REQUIRED","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":8.8,"temporalSeverity":"HIGH","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","version":"3.1"},"products":["pillow@vers:pypi/>=1.0|<=6.2.1"]}],"title":"CVE-2020-5310/pkg:pypi/pillow@5.4.1"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2020-10994"]}],"cve":"CVE-2020-10994","cwe":{"id":"125","name":"Out-of-bounds Read"},"discovery_date":"2020-07-27T21:52:39","ids":[{"system_name":"CVE Record","text":"CVE-2020-10994"},{"system_name":"GitHub Advisory","text":"GHSA-VJ42-XQ3R-HR3R"},{"system_name":"GitHub Advisory","text":"PYSEC-2020-79"},{"system_name":"Snyk Advisory","text":"SNYK-PYTHON-PILLOW-574575"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Out-of-bounds reads in Pillow"},{"category":"details","details":"Vulnerability Details","text":"# Out-of-bounds reads in Pillow In `libImaging/Jpeg2KDecode.c` in Pillow before 7.1.0, there are multiple out-of-bounds reads via a crafted JP2 file.  ## Related CVE(s) BIT-pillow-2020-10994, CVE-2020-10994, PYSEC-2020-79"},{"category":"other","text":"Update to version 7.1.0 to resolve CVE-2020-10994 or update to version 10.3.0 to resolve additional vulnerabilities for this package.","title":"Recommended Action"}],"product_status":{"known_affected":["pillow@vers:pypi/>=1.0|<=7.0.0"],"known_not_affected":["pillow@7.1.0"]},"references":[{"summary":"GitHub Advisory","url":"https://github.com/advisories/GHSA-vj42-xq3r-hr3r"},{"summary":"GitHub Advisory","url":"https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2020-79.yaml"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BEBCPE4F2VHTIT6EZA2YZQZLPVDEBJGD"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HOKHNWV2VS5GESY7IBD237E7C6T3I427"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-10994"},{"summary":"Snyk Advisory","url":"https://snyk.io/vuln/SNYK-PYTHON-PILLOW-574575"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"LOCAL","availabilityImpact":"HIGH","baseScore":5.5,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","environmentalScore":5.5,"environmentalSeverity":"MEDIUM","integrityImpact":"NONE","modifiedAttackComplexity":"LOW","modifiedAttackVector":"LOCAL","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"NONE","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"REQUIRED","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":5.5,"temporalSeverity":"MEDIUM","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","version":"3.1"},"products":["pillow@vers:pypi/>=1.0|<=7.0.0"]}],"title":"CVE-2020-10994/pkg:pypi/pillow@5.4.1"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2020-35654"]}],"cve":"CVE-2020-35654","cwe":{"id":"787","name":"Out-of-bounds Write"},"discovery_date":"2021-03-18T19:55:27","ids":[{"system_name":"CVE Record","text":"CVE-2020-35654"},{"system_name":"GitHub Advisory","text":"GHSA-VQCJ-WRF2-7V73"},{"system_name":"GitHub Advisory","text":"PYSEC-2021-70"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Pillow Out-of-bounds Write"},{"category":"details","details":"Vulnerability Details","text":"# Pillow Out-of-bounds Write In Pillow before 8.1.0, TiffDecode has a heap-based buffer overflow when decoding crafted YCbCr files because of certain interpretation conflicts with LibTIFF in RGBA mode.  ## Related CVE(s) BIT-pillow-2020-35654, CVE-2020-35654, PYSEC-2021-70"},{"category":"other","text":"Update to version 8.1.0 to resolve CVE-2020-35654 or update to version 10.3.0 to resolve additional vulnerabilities for this package.","title":"Recommended Action"}],"product_status":{"known_affected":["pillow@vers:pypi/>=1.0|<=8.0.1"],"known_not_affected":["pillow@8.1.0"]},"references":[{"summary":"GitHub Advisory","url":"https://github.com/advisories/GHSA-vqcj-wrf2-7v73"},{"summary":"GitHub Advisory","url":"https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2021-70.yaml"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6BYVI5G44MRIPERKYDQEL3S3YQCZTVHE"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BF553AMNNNBW7SH4IM4MNE4M6GNZQ7YD"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TQQY6472RX4J2SUJENWDZAWKTJJGP2ML"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZTSY25UJU7NJUFHH3HWT575LT4TDFWBZ"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-35654"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":8.8,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","environmentalScore":8.8,"environmentalSeverity":"HIGH","integrityImpact":"HIGH","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"HIGH","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"REQUIRED","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":8.8,"temporalSeverity":"HIGH","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","version":"3.1"},"products":["pillow@vers:pypi/>=1.0|<=8.0.1"]}],"title":"CVE-2020-35654/pkg:pypi/pillow@5.4.1"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2022-22816"]}],"cve":"CVE-2022-22816","cwe":{"id":"125","name":"Out-of-bounds Read"},"discovery_date":"2022-01-12T20:07:41","ids":[{"system_name":"CVE Record","text":"CVE-2022-22816"},{"system_name":"Debian Advisory","text":"DSA-5053"},{"system_name":"GitHub Advisory","text":"GHSA-XRCV-F9GM-V42C"},{"system_name":"Gentoo Advisory","text":"GLSA-202211-10"},{"system_name":"GitHub Advisory","text":"PYSEC-2022-9"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Out-of-bounds Read in Pillow"},{"category":"details","details":"Vulnerability Details","text":"# Out-of-bounds Read in Pillow path_getbbox in path.c in Pillow before 9.0.0 has a buffer over-read during initialization of ImagePath.Path.  ## Related CVE(s) BIT-pillow-2022-22816, CVE-2022-22816, PYSEC-2022-9"},{"category":"other","text":"Update to version 9.0.0 to resolve CVE-2022-22816 or update to version 10.3.0 to resolve additional vulnerabilities for this package.","title":"Recommended Action"}],"product_status":{"known_affected":["pillow@vers:pypi/>=1.0|<=8.4.0"],"known_not_affected":["pillow@9.0.0"]},"references":[{"summary":"GitHub Advisory","url":"https://github.com/advisories/GHSA-xrcv-f9gm-v42c"},{"summary":"GitHub Advisory","url":"https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2022-9.yaml"},{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2022/01/msg00018.html"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-22816"},{"summary":"Gentoo Advisory","url":"https://security.gentoo.org/glsa/202211-10"},{"summary":"Debian Advisory","url":"https://www.debian.org/security/2022/dsa-5053"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"LOW","baseScore":6.5,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","environmentalScore":6.5,"environmentalSeverity":"MEDIUM","integrityImpact":"LOW","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"LOW","modifiedConfidentialityImpact":"NONE","modifiedIntegrityImpact":"LOW","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":6.5,"temporalSeverity":"MEDIUM","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L","version":"3.1"},"products":["pillow@vers:pypi/>=1.0|<=8.4.0"]}],"title":"CVE-2022-22816/pkg:pypi/pillow@5.4.1"},{"acknowledgements":[{"organization":"Google"}],"discovery_date":"2020-06-25T19:15:00","notes":[{"category":"description","details":"Vulnerability Description","text":"Summary"},{"category":"details","details":"Vulnerability Details","text":"# Summary In libImaging/PcxDecode.c in Pillow before 7.1.0, an out-of-bounds read can occur when reading PCX files where state->shuffle is instructed to read beyond state->buffer."},{"category":"other","text":"Update to version 7.1.0 to resolve PYSEC-2020-77 or update to version 10.3.0 to resolve additional vulnerabilities for this package.","title":"Recommended Action"}],"product_status":{"known_affected":["pillow@vers:pypi/>=1.0|<=7.0.0"],"known_not_affected":["pillow@7.1.0"]},"references":[{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BEBCPE4F2VHTIT6EZA2YZQZLPVDEBJGD/"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HOKHNWV2VS5GESY7IBD237E7C6T3I427/"}],"scores":[{"cvss_v3":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":3.1,"baseSeverity":"LOW","confidentialityImpact":"LOW","environmentalScore":3.1,"environmentalSeverity":"LOW","integrityImpact":"NONE","modifiedAttackComplexity":"HIGH","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"NONE","modifiedConfidentialityImpact":"LOW","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"REQUIRED","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":3.1,"temporalSeverity":"LOW","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N","version":"3.1"},"products":["pillow@vers:pypi/>=1.0|<=7.0.0"]}],"title":"PYSEC-2020-77/pkg:pypi/pillow@5.4.1"},{"acknowledgements":[{"organization":"Google"}],"discovery_date":"2020-06-25T19:15:00","notes":[{"category":"description","details":"Vulnerability Description","text":"Summary"},{"category":"details","details":"Vulnerability Details","text":"# Summary In Pillow before 7.1.0, there are two Buffer Overflows in libImaging/TiffDecode.c."},{"category":"other","text":"Update to version 7.1.0 to resolve PYSEC-2020-78 or update to version 10.3.0 to resolve additional vulnerabilities for this package.","title":"Recommended Action"}],"product_status":{"known_affected":["pillow@vers:pypi/>=1.0|<=7.0.0"],"known_not_affected":["pillow@7.1.0"]},"references":[{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BEBCPE4F2VHTIT6EZA2YZQZLPVDEBJGD/"},{"summary":"Fedora Project Mailing List","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HOKHNWV2VS5GESY7IBD237E7C6T3I427/"}],"scores":[{"cvss_v3":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":3.1,"baseSeverity":"LOW","confidentialityImpact":"LOW","environmentalScore":3.1,"environmentalSeverity":"LOW","integrityImpact":"NONE","modifiedAttackComplexity":"HIGH","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"NONE","modifiedConfidentialityImpact":"LOW","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"REQUIRED","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":3.1,"temporalSeverity":"LOW","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N","version":"3.1"},"products":["pillow@vers:pypi/>=1.0|<=7.0.0"]}],"title":"PYSEC-2020-78/pkg:pypi/pillow@5.4.1"},{"acknowledgements":[{"organization":"Google"}],"discovery_date":"2023-09-20T05:46:53","ids":[{"system_name":"CVE Record","text":"CVE-2023-4863"},{"system_name":"CVE Record","text":"CVE-2023-5129"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Summary"},{"category":"details","details":"Vulnerability Details","text":"# Summary Pillow versions before v10.0.1 bundled libwebp binaries in wheels that are vulnerable to CVE-2023-5129 (previously CVE-2023-4863). Pillow v10.0.1 upgrades the bundled libwebp binary to v1.3.2."},{"category":"other","text":"No recommendation found for PYSEC-2023-175. Updating to version 10.3.0 is recommended nonetheless in order to address additional vulnerabilities identified for this package.","title":"Recommended Action"}],"product_status":{"known_affected":["pillow@vers:pypi/>=1.0|<=9.5.0"]},"references":[{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-4863"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-5129"}],"scores":[{"cvss_v3":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":3.1,"baseSeverity":"LOW","confidentialityImpact":"LOW","environmentalScore":3.1,"environmentalSeverity":"LOW","integrityImpact":"NONE","modifiedAttackComplexity":"HIGH","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"NONE","modifiedConfidentialityImpact":"LOW","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"REQUIRED","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":3.1,"temporalSeverity":"LOW","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N","version":"3.1"},"products":["pillow@vers:pypi/>=1.0|<=9.5.0"]}],"title":"PYSEC-2023-175/pkg:pypi/pillow@5.4.1"},{"acknowledgements":[{"organization":"NVD","urls":["https://nvd.nist.gov/vuln/detail/CVE-2024-1135"]}],"cve":"CVE-2024-1135","cwe":{"id":"444","name":"Inconsistent Interpretation of HTTP Requests"},"discovery_date":"2024-04-16T00:30:32","ids":[{"system_name":"Huntr Advisory","text":"22158E34-CFD5-41AD-97E0-A780773D96C1"},{"system_name":"CVE Record","text":"CVE-2024-1135"}],"notes":[{"category":"description","details":"Vulnerability Description","text":"Request smuggling leading to endpoint restriction bypass in Gunicorn"},{"category":"details","details":"Vulnerability Details","text":"# Request smuggling leading to endpoint restriction bypass in Gunicorn Gunicorn fails to properly validate Transfer-Encoding headers, leading to HTTP Request Smuggling (HRS) vulnerabilities. By crafting requests with conflicting Transfer-Encoding headers, attackers can bypass security restrictions and access restricted endpoints. This issue is due to Gunicorn's handling of Transfer-Encoding headers, where it incorrectly processes requests with multiple, conflicting Transfer-Encoding headers, treating them as chunked regardless of the final encoding specified. This vulnerability has been shown to allow access to endpoints restricted by gunicorn. This issue has been addressed in version 22.0.0.  To be affected users must have a network path which does not filter out invalid requests. These users are advised to block access to restricted endpoints via a firewall or other mechanism if they are unable to update."},{"category":"other","text":"Update to version 22.0.0.","title":"Recommended Action"}],"product_status":{"known_affected":["gunicorn@vers:pypi/>=0.1|<=21.2.0"],"known_not_affected":["gunicorn@22.0.0"]},"references":[{"summary":"Huntr Advisory","url":"https://huntr.com/bounties/22158e34-cfd5-41ad-97e0-a780773d96c1"},{"summary":"Debian Mailing List","url":"https://lists.debian.org/debian-lts-announce/2024/06/msg00027.html"},{"summary":"CVE Record","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-1135"}],"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":8.2,"baseSeverity":"HIGH","confidentialityImpact":"LOW","environmentalScore":8.2,"environmentalSeverity":"HIGH","integrityImpact":"HIGH","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"NONE","modifiedConfidentialityImpact":"LOW","modifiedIntegrityImpact":"HIGH","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":8.2,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N","version":"3.1"},"products":["gunicorn@vers:pypi/>=0.1|<=21.2.0"]}],"title":"CVE-2024-1135/pkg:pypi/gunicorn@19.9.0"},{"acknowledgements":[{"organization":"Mitre"}],"cve":"CVE-2023-5590","discovery_date":"2023-10-15T23:15:00","notes":[{"category":"description","details":"Vulnerability Description","text":"Summary"},{"category":"details","details":"Vulnerability Details","text":"# Summary NULL Pointer Dereference in GitHub repository seleniumhq/selenium prior to 4.14.0."},{"category":"other","text":"Update to version 4.14.0.","title":"Recommended Action"}],"product_status":{"known_affected":["selenium@vers:pypi/>=0.9.2|<=4.9.1"],"known_not_affected":["selenium@4.14.0"]},"scores":[{"cvss_v3":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","environmentalScore":7.5,"environmentalSeverity":"HIGH","integrityImpact":"NONE","modifiedAttackComplexity":"LOW","modifiedAttackVector":"NETWORK","modifiedAvailabilityImpact":"HIGH","modifiedConfidentialityImpact":"NONE","modifiedIntegrityImpact":"NONE","modifiedPrivilegesRequired":"NONE","modifiedScope":"UNCHANGED","modifiedUserInteraction":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","temporalScore":7.5,"temporalSeverity":"HIGH","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"},"products":["selenium@vers:pypi/>=0.9.2|<=4.9.1"]}],"title":"CVE-2023-5590/pkg:pypi/selenium@3.141.0"}]}