Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:pypi/pillow@10.0.0
Typepypi
Namespace
Namepillow
Version10.0.0
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version12.2.0
Latest_non_vulnerable_version12.2.0
Affected_by_vulnerabilities
0
url VCID-4tub-w66m-uyfu
vulnerability_id VCID-4tub-w66m-uyfu
summary Pillow versions before v10.0.1 bundled libwebp binaries in wheels that are vulnerable to CVE-2023-5129 (previously CVE-2023-4863). Pillow v10.0.1 upgrades the bundled libwebp binary to v1.3.2.
references
0
reference_url https://github.com/python-pillow/Pillow/blob/main/CHANGES.rst#1001-2023-09-15
reference_id
reference_type
scores
url https://github.com/python-pillow/Pillow/blob/main/CHANGES.rst#1001-2023-09-15
1
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-4863
reference_id
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2023-4863
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-5129
reference_id
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2023-5129
fixed_packages
0
url pkg:pypi/pillow@10.0.1
purl pkg:pypi/pillow@10.0.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-9hza-srk7-sucy
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pillow@10.0.1
aliases PYSEC-2023-175
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-4tub-w66m-uyfu
1
url VCID-9hza-srk7-sucy
vulnerability_id VCID-9hza-srk7-sucy
summary Pillow is a Python imaging library. Prior to version 12.2.0, if a font advances for each glyph by an exceeding large amount, when Pillow keeps track of the current position, it may lead to an integer overflow. This issue has been patched in version 12.2.0.
references
0
reference_url https://github.com/python-pillow/Pillow/releases/tag/12.2.0
reference_id
reference_type
scores
0
value 5.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
url https://github.com/python-pillow/Pillow/releases/tag/12.2.0
1
reference_url https://github.com/python-pillow/Pillow/security/advisories/GHSA-wjx4-4jcj-g98j
reference_id
reference_type
scores
0
value 5.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
url https://github.com/python-pillow/Pillow/security/advisories/GHSA-wjx4-4jcj-g98j
fixed_packages
0
url pkg:pypi/pillow@12.2.0
purl pkg:pypi/pillow@12.2.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pillow@12.2.0
aliases CVE-2026-42308, GHSA-wjx4-4jcj-g98j, PYSEC-2026-165
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-9hza-srk7-sucy
Fixing_vulnerabilities
0
url VCID-x3bz-ehvb-jyfs
vulnerability_id VCID-x3bz-ehvb-jyfs
summary An issue was discovered in Pillow before 10.0.0. It is a Denial of Service that uncontrollably allocates memory to process a given task, potentially causing a service to crash by having it run out of memory. This occurs for truetype in ImageFont when textlength in an ImageDraw instance operates on a long text argument.
references
0
reference_url https://devhub.checkmarx.com/cve-details/CVE-2023-44271/
reference_id
reference_type
scores
url https://devhub.checkmarx.com/cve-details/CVE-2023-44271/
1
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2023-227.yaml
reference_id
reference_type
scores
url https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2023-227.yaml
2
reference_url https://github.com/python-pillow/Pillow
reference_id
reference_type
scores
url https://github.com/python-pillow/Pillow
3
reference_url https://github.com/python-pillow/Pillow/commit/1fe1bb49c452b0318cad12ea9d97c3bef188e9a7
reference_id
reference_type
scores
url https://github.com/python-pillow/Pillow/commit/1fe1bb49c452b0318cad12ea9d97c3bef188e9a7
4
reference_url https://github.com/python-pillow/Pillow/pull/7244
reference_id
reference_type
scores
url https://github.com/python-pillow/Pillow/pull/7244
5
reference_url https://lists.debian.org/debian-lts-announce/2024/03/msg00021.html
reference_id
reference_type
scores
url https://lists.debian.org/debian-lts-announce/2024/03/msg00021.html
6
reference_url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N2JOEDUJDQLCUII2LQYZYSM7RJL2I3P4
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N2JOEDUJDQLCUII2LQYZYSM7RJL2I3P4
7
reference_url https://devhub.checkmarx.com/cve-details/CVE-2023-44271
reference_id CVE-2023-44271
reference_type
scores
url https://devhub.checkmarx.com/cve-details/CVE-2023-44271
8
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-44271
reference_id CVE-2023-44271
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2023-44271
9
reference_url https://github.com/advisories/GHSA-8ghj-p4vj-mr35
reference_id GHSA-8ghj-p4vj-mr35
reference_type
scores
url https://github.com/advisories/GHSA-8ghj-p4vj-mr35
fixed_packages
0
url pkg:pypi/pillow@10.0.0
purl pkg:pypi/pillow@10.0.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4tub-w66m-uyfu
1
vulnerability VCID-9hza-srk7-sucy
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pillow@10.0.0
aliases CVE-2023-44271, GHSA-8ghj-p4vj-mr35, PYSEC-2023-227
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-x3bz-ehvb-jyfs
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:pypi/pillow@10.0.0