Skip to content

Pillow-8.4.0-cp310-cp310-macosx_10_10_universal2.whl: 9 vulnerabilities (highest severity is: 9.8) #40

Description

@mend-for-github-com
Vulnerable Library - Pillow-8.4.0-cp310-cp310-macosx_10_10_universal2.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/c7/83/7beafd81d7b94ebbae6b04559e6f7a1deecd8941f8e21f1a924c075619cf/Pillow-8.4.0-cp310-cp310-macosx_10_10_universal2.whl

Found in HEAD commit: 653435dffecc04a7e4fcc7cbf73f04258b4cc039

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (Pillow version) Remediation Possible**
CVE-2022-22817 Critical 9.8 Pillow-8.4.0-cp310-cp310-macosx_10_10_universal2.whl Direct Pillow - 9.0.0
CVE-2022-24303 Critical 9.1 Pillow-8.4.0-cp310-cp310-macosx_10_10_universal2.whl Direct Pillow - 9.0.1
CVE-2023-50447 High 8.1 Pillow-8.4.0-cp310-cp310-macosx_10_10_universal2.whl Direct pillow - 10.2.0
WS-2022-0097 High 7.5 Pillow-8.4.0-cp310-cp310-macosx_10_10_universal2.whl Direct Pillow - 9.0.0
CVE-2023-44271 High 7.5 Pillow-8.4.0-cp310-cp310-macosx_10_10_universal2.whl Direct Pillow - 10.0.0
CVE-2022-45199 High 7.5 Pillow-8.4.0-cp310-cp310-macosx_10_10_universal2.whl Direct Pillow - 9.3.0
CVE-2022-45198 High 7.5 Pillow-8.4.0-cp310-cp310-macosx_10_10_universal2.whl Direct Pillow - 9.2.0
CVE-2022-22816 Medium 6.5 Pillow-8.4.0-cp310-cp310-macosx_10_10_universal2.whl Direct Pillow - 9.0.0
CVE-2022-22815 Medium 6.5 Pillow-8.4.0-cp310-cp310-macosx_10_10_universal2.whl Direct Pillow - 9.0.0

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2022-22817

Vulnerable Library - Pillow-8.4.0-cp310-cp310-macosx_10_10_universal2.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/c7/83/7beafd81d7b94ebbae6b04559e6f7a1deecd8941f8e21f1a924c075619cf/Pillow-8.4.0-cp310-cp310-macosx_10_10_universal2.whl

Dependency Hierarchy:

  • Pillow-8.4.0-cp310-cp310-macosx_10_10_universal2.whl (Vulnerable Library)

Found in HEAD commit: 653435dffecc04a7e4fcc7cbf73f04258b4cc039

Found in base branch: main

Vulnerability Details

PIL.ImageMath.eval in Pillow before 9.0.0 allows evaluation of arbitrary expressions, such as ones that use the Python exec method. A lambda expression could also be used.

Publish Date: 2022-01-10

URL: CVE-2022-22817

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22817

Release Date: 2022-01-10

Fix Resolution: Pillow - 9.0.0

CVE-2022-24303

Vulnerable Library - Pillow-8.4.0-cp310-cp310-macosx_10_10_universal2.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/c7/83/7beafd81d7b94ebbae6b04559e6f7a1deecd8941f8e21f1a924c075619cf/Pillow-8.4.0-cp310-cp310-macosx_10_10_universal2.whl

Dependency Hierarchy:

  • Pillow-8.4.0-cp310-cp310-macosx_10_10_universal2.whl (Vulnerable Library)

Found in HEAD commit: 653435dffecc04a7e4fcc7cbf73f04258b4cc039

Found in base branch: main

Vulnerability Details

Pillow before 9.0.1 allows attackers to delete files because spaces in temporary pathnames are mishandled.

Publish Date: 2022-03-28

URL: CVE-2022-24303

CVSS 3 Score Details (9.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-9j59-75qj-795w

Release Date: 2022-03-28

Fix Resolution: Pillow - 9.0.1

CVE-2023-50447

Vulnerable Library - Pillow-8.4.0-cp310-cp310-macosx_10_10_universal2.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/c7/83/7beafd81d7b94ebbae6b04559e6f7a1deecd8941f8e21f1a924c075619cf/Pillow-8.4.0-cp310-cp310-macosx_10_10_universal2.whl

Dependency Hierarchy:

  • Pillow-8.4.0-cp310-cp310-macosx_10_10_universal2.whl (Vulnerable Library)

Found in HEAD commit: 653435dffecc04a7e4fcc7cbf73f04258b4cc039

Found in base branch: main

Vulnerability Details

Pillow through 10.1.0 allows PIL.ImageMath.eval Arbitrary Code Execution via the environment parameter, a different vulnerability than CVE-2022-22817 (which was about the expression parameter).

Publish Date: 2024-01-19

URL: CVE-2023-50447

CVSS 3 Score Details (8.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.openwall.com/lists/oss-security/2024/01/20/1

Release Date: 2024-01-19

Fix Resolution: pillow - 10.2.0

WS-2022-0097

Vulnerable Library - Pillow-8.4.0-cp310-cp310-macosx_10_10_universal2.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/c7/83/7beafd81d7b94ebbae6b04559e6f7a1deecd8941f8e21f1a924c075619cf/Pillow-8.4.0-cp310-cp310-macosx_10_10_universal2.whl

Dependency Hierarchy:

  • Pillow-8.4.0-cp310-cp310-macosx_10_10_universal2.whl (Vulnerable Library)

Found in HEAD commit: 653435dffecc04a7e4fcc7cbf73f04258b4cc039

Found in base branch: main

Vulnerability Details

JpegImagePlugin may append an EOF marker to the end of a truncated file, so that the last segment of the data will still be processed by the decoder.

If the EOF marker is not detected as such however, this could lead to an infinite loop where JpegImagePlugin keeps trying to end the file.

Publish Date: 2022-03-11

URL: WS-2022-0097

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-4fx9-vc88-q2xc

Release Date: 2022-03-11

Fix Resolution: Pillow - 9.0.0

CVE-2023-44271

Vulnerable Library - Pillow-8.4.0-cp310-cp310-macosx_10_10_universal2.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/c7/83/7beafd81d7b94ebbae6b04559e6f7a1deecd8941f8e21f1a924c075619cf/Pillow-8.4.0-cp310-cp310-macosx_10_10_universal2.whl

Dependency Hierarchy:

  • Pillow-8.4.0-cp310-cp310-macosx_10_10_universal2.whl (Vulnerable Library)

Found in HEAD commit: 653435dffecc04a7e4fcc7cbf73f04258b4cc039

Found in base branch: main

Vulnerability Details

An issue was discovered in Pillow before 10.0.0. It is a Denial of Service that uncontrollably allocates memory to process a given task, potentially causing a service to crash by having it run out of memory. This occurs for truetype in ImageFont when textlength in an ImageDraw instance operates on a long text argument.

Publish Date: 2023-11-03

URL: CVE-2023-44271

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2023-11-03

Fix Resolution: Pillow - 10.0.0

CVE-2022-45199

Vulnerable Library - Pillow-8.4.0-cp310-cp310-macosx_10_10_universal2.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/c7/83/7beafd81d7b94ebbae6b04559e6f7a1deecd8941f8e21f1a924c075619cf/Pillow-8.4.0-cp310-cp310-macosx_10_10_universal2.whl

Dependency Hierarchy:

  • Pillow-8.4.0-cp310-cp310-macosx_10_10_universal2.whl (Vulnerable Library)

Found in HEAD commit: 653435dffecc04a7e4fcc7cbf73f04258b4cc039

Found in base branch: main

Vulnerability Details

Pillow before 9.3.0 allows denial of service via SAMPLESPERPIXEL.

Publish Date: 2022-11-14

URL: CVE-2022-45199

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-11-14

Fix Resolution: Pillow - 9.3.0

CVE-2022-45198

Vulnerable Library - Pillow-8.4.0-cp310-cp310-macosx_10_10_universal2.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/c7/83/7beafd81d7b94ebbae6b04559e6f7a1deecd8941f8e21f1a924c075619cf/Pillow-8.4.0-cp310-cp310-macosx_10_10_universal2.whl

Dependency Hierarchy:

  • Pillow-8.4.0-cp310-cp310-macosx_10_10_universal2.whl (Vulnerable Library)

Found in HEAD commit: 653435dffecc04a7e4fcc7cbf73f04258b4cc039

Found in base branch: main

Vulnerability Details

Pillow before 9.2.0 performs Improper Handling of Highly Compressed GIF Data (Data Amplification).

Publish Date: 2022-11-14

URL: CVE-2022-45198

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-11-14

Fix Resolution: Pillow - 9.2.0

CVE-2022-22816

Vulnerable Library - Pillow-8.4.0-cp310-cp310-macosx_10_10_universal2.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/c7/83/7beafd81d7b94ebbae6b04559e6f7a1deecd8941f8e21f1a924c075619cf/Pillow-8.4.0-cp310-cp310-macosx_10_10_universal2.whl

Dependency Hierarchy:

  • Pillow-8.4.0-cp310-cp310-macosx_10_10_universal2.whl (Vulnerable Library)

Found in HEAD commit: 653435dffecc04a7e4fcc7cbf73f04258b4cc039

Found in base branch: main

Vulnerability Details

path_getbbox in path.c in Pillow before 9.0.0 has a buffer over-read during initialization of ImagePath.Path.

Publish Date: 2022-01-10

URL: CVE-2022-22816

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22816

Release Date: 2022-01-10

Fix Resolution: Pillow - 9.0.0

CVE-2022-22815

Vulnerable Library - Pillow-8.4.0-cp310-cp310-macosx_10_10_universal2.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/c7/83/7beafd81d7b94ebbae6b04559e6f7a1deecd8941f8e21f1a924c075619cf/Pillow-8.4.0-cp310-cp310-macosx_10_10_universal2.whl

Dependency Hierarchy:

  • Pillow-8.4.0-cp310-cp310-macosx_10_10_universal2.whl (Vulnerable Library)

Found in HEAD commit: 653435dffecc04a7e4fcc7cbf73f04258b4cc039

Found in base branch: main

Vulnerability Details

path_getbbox in path.c in Pillow before 9.0.0 improperly initializes ImagePath.Path.

Publish Date: 2022-01-10

URL: CVE-2022-22815

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22815

Release Date: 2022-01-10

Fix Resolution: Pillow - 9.0.0

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions