Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:pypi/pillow@8.1.1

Type pypi

Namespace

Name pillow

Version 8.1.1

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version 12.2.0

Latest_non_vulnerable_version 12.2.0

Affected_by_vulnerabilities

url VCID-2gpf-94cu-6fcd

vulnerability_id VCID-2gpf-94cu-6fcd

summary PIL.ImageMath.eval in Pillow before 9.0.0 allows evaluation of arbitrary expressions, such as ones that use the Python exec method.

references

reference_url	https://github.com/advisories/GHSA-8vj2-vxx3-667w
reference_id
reference_type
scores
url	https://github.com/advisories/GHSA-8vj2-vxx3-667w

reference_url	https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2022-10.yaml
reference_id
reference_type
scores
url	https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2022-10.yaml

reference_url	https://github.com/python-pillow/Pillow
reference_id
reference_type
scores
url	https://github.com/python-pillow/Pillow

reference_url	https://github.com/python-pillow/Pillow/commit/8531b01d6cdf0b70f256f93092caa2a5d91afc11
reference_id
reference_type
scores
url	https://github.com/python-pillow/Pillow/commit/8531b01d6cdf0b70f256f93092caa2a5d91afc11

reference_url	https://lists.debian.org/debian-lts-announce/2022/01/msg00018.html
reference_id
reference_type
scores
url	https://lists.debian.org/debian-lts-announce/2022/01/msg00018.html

reference_url	https://lists.debian.org/debian-lts-announce/2024/03/msg00021.html
reference_id
reference_type
scores
url	https://lists.debian.org/debian-lts-announce/2024/03/msg00021.html

reference_url	https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#restrict-builtins-available-to-imagemath-eval
reference_id
reference_type
scores
url	https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#restrict-builtins-available-to-imagemath-eval

reference_url	https://pillow.readthedocs.io/en/stable/releasenotes/9.0.1.html#security
reference_id
reference_type
scores
url	https://pillow.readthedocs.io/en/stable/releasenotes/9.0.1.html#security

reference_url	https://security.gentoo.org/glsa/202211-10
reference_id
reference_type
scores
url	https://security.gentoo.org/glsa/202211-10

reference_url	https://www.debian.org/security/2022/dsa-5053
reference_id
reference_type
scores
url	https://www.debian.org/security/2022/dsa-5053

reference_url	https://nvd.nist.gov/vuln/detail/CVE-2022-22817
reference_id	CVE-2022-22817
reference_type
scores
url	https://nvd.nist.gov/vuln/detail/CVE-2022-22817

fixed_packages

url pkg:pypi/pillow@9.0.0

purl pkg:pypi/pillow@9.0.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4tub-w66m-uyfu

vulnerability	VCID-9hza-srk7-sucy

vulnerability	VCID-q8fz-36n2-vfh2

vulnerability	VCID-vx7b-mwfx-5fg2

vulnerability	VCID-x3bz-ehvb-jyfs

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pillow@9.0.0

url pkg:pypi/pillow@9.0.1

purl pkg:pypi/pillow@9.0.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4tub-w66m-uyfu

vulnerability	VCID-9hza-srk7-sucy

vulnerability	VCID-vx7b-mwfx-5fg2

vulnerability	VCID-x3bz-ehvb-jyfs

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pillow@9.0.1

aliases CVE-2022-22817, GHSA-8vj2-vxx3-667w, PYSEC-2022-10

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-2gpf-94cu-6fcd

url VCID-4tub-w66m-uyfu

vulnerability_id VCID-4tub-w66m-uyfu

summary Pillow versions before v10.0.1 bundled libwebp binaries in wheels that are vulnerable to CVE-2023-5129 (previously CVE-2023-4863). Pillow v10.0.1 upgrades the bundled libwebp binary to v1.3.2.

references

reference_url	https://github.com/python-pillow/Pillow/blob/main/CHANGES.rst#1001-2023-09-15
reference_id
reference_type
scores
url	https://github.com/python-pillow/Pillow/blob/main/CHANGES.rst#1001-2023-09-15

reference_url	https://nvd.nist.gov/vuln/detail/CVE-2023-4863
reference_id
reference_type
scores
url	https://nvd.nist.gov/vuln/detail/CVE-2023-4863

reference_url	https://nvd.nist.gov/vuln/detail/CVE-2023-5129
reference_id
reference_type
scores
url	https://nvd.nist.gov/vuln/detail/CVE-2023-5129

fixed_packages

url pkg:pypi/pillow@10.0.1

purl pkg:pypi/pillow@10.0.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-9hza-srk7-sucy

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pillow@10.0.1

aliases PYSEC-2023-175

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-4tub-w66m-uyfu

url VCID-7ya3-j9fa-zugj

vulnerability_id VCID-7ya3-j9fa-zugj

summary arbitrary code execution

references

reference_url	https://github.com/advisories/GHSA-7534-mm45-c74v
reference_id
reference_type
scores
url	https://github.com/advisories/GHSA-7534-mm45-c74v

reference_url	https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2021-331.yaml
reference_id
reference_type
scores
url	https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2021-331.yaml

reference_url	https://github.com/python-pillow/Pillow
reference_id
reference_type
scores
url	https://github.com/python-pillow/Pillow

reference_url	https://github.com/python-pillow/Pillow/commit/31c473898c29d1b7cb6555ce67d9503a4906b83f
reference_id
reference_type
scores
url	https://github.com/python-pillow/Pillow/commit/31c473898c29d1b7cb6555ce67d9503a4906b83f

reference_url	https://github.com/python-pillow/Pillow/pull/5567
reference_id
reference_type
scores
url	https://github.com/python-pillow/Pillow/pull/5567

reference_url	https://lists.debian.org/debian-lts-announce/2021/07/msg00018.html
reference_id
reference_type
scores
url	https://lists.debian.org/debian-lts-announce/2021/07/msg00018.html

reference_url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7V6LCG525ARIX6LX5QRYNAWVDD2MD2SV
reference_id
reference_type
scores
url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7V6LCG525ARIX6LX5QRYNAWVDD2MD2SV

reference_url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7V6LCG525ARIX6LX5QRYNAWVDD2MD2SV/
reference_id
reference_type
scores
url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7V6LCG525ARIX6LX5QRYNAWVDD2MD2SV/

reference_url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VUGBBT63VL7G4JNOEIPDJIOC34ZFBKNJ
reference_id
reference_type
scores
url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VUGBBT63VL7G4JNOEIPDJIOC34ZFBKNJ

reference_url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VUGBBT63VL7G4JNOEIPDJIOC34ZFBKNJ/
reference_id
reference_type
scores
url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VUGBBT63VL7G4JNOEIPDJIOC34ZFBKNJ/

reference_url	https://pillow.readthedocs.io/en/stable/releasenotes/8.3.0.html#buffer-overflow
reference_id
reference_type
scores
url	https://pillow.readthedocs.io/en/stable/releasenotes/8.3.0.html#buffer-overflow

reference_url	https://pillow.readthedocs.io/en/stable/releasenotes/index.html
reference_id
reference_type
scores
url	https://pillow.readthedocs.io/en/stable/releasenotes/index.html

reference_url	https://security.gentoo.org/glsa/202211-10
reference_id
reference_type
scores
url	https://security.gentoo.org/glsa/202211-10

reference_url	https://security.archlinux.org/ASA-202107-26
reference_id	ASA-202107-26
reference_type
scores
url	https://security.archlinux.org/ASA-202107-26

reference_url

https://security.archlinux.org/AVG-2150

reference_id

AVG-2150

reference_type

scores

value	Medium
scoring_system	archlinux
scoring_elements

url

https://security.archlinux.org/AVG-2150

reference_url	https://nvd.nist.gov/vuln/detail/CVE-2021-34552
reference_id	CVE-2021-34552
reference_type
scores
url	https://nvd.nist.gov/vuln/detail/CVE-2021-34552

fixed_packages

url pkg:pypi/pillow@8.3.0

purl pkg:pypi/pillow@8.3.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2gpf-94cu-6fcd

vulnerability	VCID-4tub-w66m-uyfu

vulnerability	VCID-9hza-srk7-sucy

vulnerability	VCID-d4dx-wbrv-gqaa

vulnerability	VCID-dkcx-xcb8-3fgj

vulnerability	VCID-q8fz-36n2-vfh2

vulnerability	VCID-vx7b-mwfx-5fg2

vulnerability	VCID-wfzw-3x26-tucg

vulnerability	VCID-x3bz-ehvb-jyfs

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pillow@8.3.0

aliases CVE-2021-34552, GHSA-7534-mm45-c74v, PYSEC-2021-331

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-7ya3-j9fa-zugj

url VCID-9hza-srk7-sucy

vulnerability_id VCID-9hza-srk7-sucy

summary Pillow is a Python imaging library. Prior to version 12.2.0, if a font advances for each glyph by an exceeding large amount, when Pillow keeps track of the current position, it may lead to an integer overflow. This issue has been patched in version 12.2.0.

references

reference_url

https://github.com/python-pillow/Pillow/releases/tag/12.2.0

reference_id

reference_type

scores

value	5.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

url

https://github.com/python-pillow/Pillow/releases/tag/12.2.0

reference_url

https://github.com/python-pillow/Pillow/security/advisories/GHSA-wjx4-4jcj-g98j

reference_id

reference_type

scores

value	5.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

url

https://github.com/python-pillow/Pillow/security/advisories/GHSA-wjx4-4jcj-g98j

fixed_packages

url	pkg:pypi/pillow@12.2.0
purl	pkg:pypi/pillow@12.2.0
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:pypi/pillow@12.2.0

aliases CVE-2026-42308, GHSA-wjx4-4jcj-g98j, PYSEC-2026-165

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-9hza-srk7-sucy

url VCID-d4dx-wbrv-gqaa

vulnerability_id VCID-d4dx-wbrv-gqaa

summary path_getbbox in path.c in Pillow before 9.0.0 improperly initializes ImagePath.Path.

references

reference_url	https://github.com/advisories/GHSA-pw3c-h7wp-cvhx
reference_id
reference_type
scores
url	https://github.com/advisories/GHSA-pw3c-h7wp-cvhx

reference_url	https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2022-8.yaml
reference_id
reference_type
scores
url	https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2022-8.yaml

reference_url	https://github.com/python-pillow/Pillow
reference_id
reference_type
scores
url	https://github.com/python-pillow/Pillow

reference_url	https://github.com/python-pillow/Pillow/blob/c5d9223a8b5e9295d15b5a9b1ef1dae44c8499f3/src/path.c#L331
reference_id
reference_type
scores
url	https://github.com/python-pillow/Pillow/blob/c5d9223a8b5e9295d15b5a9b1ef1dae44c8499f3/src/path.c#L331

reference_url	https://github.com/python-pillow/Pillow/blob/e8ab5640774716c5486d3cb05167f74f742ad6ef/CHANGES.rst?plain=1#L1187
reference_id
reference_type
scores
url	https://github.com/python-pillow/Pillow/blob/e8ab5640774716c5486d3cb05167f74f742ad6ef/CHANGES.rst?plain=1#L1187

reference_url	https://github.com/python-pillow/Pillow/commit/1e092419b6806495c683043ab3feb6ce264f3b9c
reference_id
reference_type
scores
url	https://github.com/python-pillow/Pillow/commit/1e092419b6806495c683043ab3feb6ce264f3b9c

reference_url	https://github.com/python-pillow/Pillow/commit/c48271ab354db49cdbd740bc45e13be4f0f7993c
reference_id
reference_type
scores
url	https://github.com/python-pillow/Pillow/commit/c48271ab354db49cdbd740bc45e13be4f0f7993c

reference_url	https://github.com/python-pillow/Pillow/pull/5920
reference_id
reference_type
scores
url	https://github.com/python-pillow/Pillow/pull/5920

reference_url	https://lists.debian.org/debian-lts-announce/2022/01/msg00018.html
reference_id
reference_type
scores
url	https://lists.debian.org/debian-lts-announce/2022/01/msg00018.html

reference_url	https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#fixed-imagepath-path-array-handling
reference_id
reference_type
scores
url	https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#fixed-imagepath-path-array-handling

reference_url	https://www.debian.org/security/2022/dsa-5053
reference_id
reference_type
scores
url	https://www.debian.org/security/2022/dsa-5053

reference_url	https://nvd.nist.gov/vuln/detail/CVE-2022-22815
reference_id	CVE-2022-22815
reference_type
scores
url	https://nvd.nist.gov/vuln/detail/CVE-2022-22815

fixed_packages

url pkg:pypi/pillow@9.0.0

purl pkg:pypi/pillow@9.0.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4tub-w66m-uyfu

vulnerability	VCID-9hza-srk7-sucy

vulnerability	VCID-q8fz-36n2-vfh2

vulnerability	VCID-vx7b-mwfx-5fg2

vulnerability	VCID-x3bz-ehvb-jyfs

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pillow@9.0.0

aliases CVE-2022-22815, GHSA-pw3c-h7wp-cvhx, PYSEC-2022-8

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-d4dx-wbrv-gqaa

url VCID-dkcx-xcb8-3fgj

vulnerability_id VCID-dkcx-xcb8-3fgj

summary The package pillow from 0 and before 8.3.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the getrgb function.

references

reference_url	https://github.com/advisories/GHSA-98vv-pw6r-q6q4
reference_id
reference_type
scores
url	https://github.com/advisories/GHSA-98vv-pw6r-q6q4

reference_url	https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2021-317.yaml
reference_id
reference_type
scores
url	https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2021-317.yaml

reference_url	https://github.com/python-pillow/Pillow
reference_id
reference_type
scores
url	https://github.com/python-pillow/Pillow

reference_url	https://github.com/python-pillow/Pillow/commit/9e08eb8f78fdfd2f476e1b20b7cf38683754866b
reference_id
reference_type
scores
url	https://github.com/python-pillow/Pillow/commit/9e08eb8f78fdfd2f476e1b20b7cf38683754866b

reference_url	https://lists.debian.org/debian-lts-announce/2024/03/msg00021.html
reference_id
reference_type
scores
url	https://lists.debian.org/debian-lts-announce/2024/03/msg00021.html

reference_url	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RNSG6VFXTAROGF7ACYLMAZNQV4EJ6I2C
reference_id
reference_type
scores
url	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RNSG6VFXTAROGF7ACYLMAZNQV4EJ6I2C

reference_url	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VKRCL7KKAKOXCVD7M6WC5OKFGL4L3SJT
reference_id
reference_type
scores
url	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VKRCL7KKAKOXCVD7M6WC5OKFGL4L3SJT

reference_url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RNSG6VFXTAROGF7ACYLMAZNQV4EJ6I2C
reference_id
reference_type
scores
url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RNSG6VFXTAROGF7ACYLMAZNQV4EJ6I2C

reference_url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VKRCL7KKAKOXCVD7M6WC5OKFGL4L3SJT
reference_id
reference_type
scores
url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VKRCL7KKAKOXCVD7M6WC5OKFGL4L3SJT

reference_url	https://pillow.readthedocs.io/en/stable/releasenotes/8.3.2.html
reference_id
reference_type
scores
url	https://pillow.readthedocs.io/en/stable/releasenotes/8.3.2.html

reference_url	https://security.gentoo.org/glsa/202211-10
reference_id
reference_type
scores
url	https://security.gentoo.org/glsa/202211-10

reference_url	https://snyk.io/vuln/SNYK-PYTHON-PILLOW-1319443
reference_id
reference_type
scores
url	https://snyk.io/vuln/SNYK-PYTHON-PILLOW-1319443

reference_url	https://nvd.nist.gov/vuln/detail/CVE-2021-23437
reference_id	CVE-2021-23437
reference_type
scores
url	https://nvd.nist.gov/vuln/detail/CVE-2021-23437

fixed_packages

url pkg:pypi/pillow@8.3.2

purl pkg:pypi/pillow@8.3.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2gpf-94cu-6fcd

vulnerability	VCID-4tub-w66m-uyfu

vulnerability	VCID-9hza-srk7-sucy

vulnerability	VCID-d4dx-wbrv-gqaa

vulnerability	VCID-q8fz-36n2-vfh2

vulnerability	VCID-vx7b-mwfx-5fg2

vulnerability	VCID-wfzw-3x26-tucg

vulnerability	VCID-x3bz-ehvb-jyfs

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pillow@8.3.2

aliases CVE-2021-23437, GHSA-98vv-pw6r-q6q4, PYSEC-2021-317, SNYK-PYTHON-PILLOW-1319443

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-dkcx-xcb8-3fgj

url VCID-fq9j-ntxd-t3b3

vulnerability_id VCID-fq9j-ntxd-t3b3

summary An issue was discovered in Pillow before 8.2.0. There is an out-of-bounds read in J2kDecode, in j2ku_graya_la.

references

reference_url	https://github.com/advisories/GHSA-77gc-v2xv-rvvh
reference_id
reference_type
scores
url	https://github.com/advisories/GHSA-77gc-v2xv-rvvh

reference_url	https://github.com/python-pillow/Pillow/pull/5377#issuecomment-833821470
reference_id
reference_type
scores
url	https://github.com/python-pillow/Pillow/pull/5377#issuecomment-833821470

reference_url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL/
reference_id
reference_type
scores
url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL/

reference_url	https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-25287-cve-2021-25288-fix-oob-read-in-jpeg2kdecode
reference_id
reference_type
scores
url	https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-25287-cve-2021-25288-fix-oob-read-in-jpeg2kdecode

fixed_packages

url pkg:pypi/pillow@8.2.0

purl pkg:pypi/pillow@8.2.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2gpf-94cu-6fcd

vulnerability	VCID-4tub-w66m-uyfu

vulnerability	VCID-7ya3-j9fa-zugj

vulnerability	VCID-9hza-srk7-sucy

vulnerability	VCID-d4dx-wbrv-gqaa

vulnerability	VCID-dkcx-xcb8-3fgj

vulnerability	VCID-q8fz-36n2-vfh2

vulnerability	VCID-vx7b-mwfx-5fg2

vulnerability	VCID-wfzw-3x26-tucg

vulnerability	VCID-x3bz-ehvb-jyfs

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pillow@8.2.0

aliases CVE-2021-25287, GHSA-77gc-v2xv-rvvh, PYSEC-2021-137

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-fq9j-ntxd-t3b3

url VCID-gve2-x5zh-gqha

vulnerability_id VCID-gve2-x5zh-gqha

summary An issue was discovered in Pillow before 8.2.0. PSDImagePlugin.PsdImageFile lacked a sanity check on the number of input layers relative to the size of the data block. This could lead to a DoS on Image.open prior to Image.load.

references

reference_url	https://github.com/advisories/GHSA-g6rj-rv7j-xwp4
reference_id
reference_type
scores
url	https://github.com/advisories/GHSA-g6rj-rv7j-xwp4

reference_url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL/
reference_id
reference_type
scores
url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL/

reference_url	https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28675-fix-dos-in-psdimageplugin
reference_id
reference_type
scores
url	https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28675-fix-dos-in-psdimageplugin

fixed_packages

url pkg:pypi/pillow@8.2.0

purl pkg:pypi/pillow@8.2.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2gpf-94cu-6fcd

vulnerability	VCID-4tub-w66m-uyfu

vulnerability	VCID-7ya3-j9fa-zugj

vulnerability	VCID-9hza-srk7-sucy

vulnerability	VCID-d4dx-wbrv-gqaa

vulnerability	VCID-dkcx-xcb8-3fgj

vulnerability	VCID-q8fz-36n2-vfh2

vulnerability	VCID-vx7b-mwfx-5fg2

vulnerability	VCID-wfzw-3x26-tucg

vulnerability	VCID-x3bz-ehvb-jyfs

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pillow@8.2.0

aliases CVE-2021-28675, GHSA-g6rj-rv7j-xwp4, PYSEC-2021-139

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-gve2-x5zh-gqha

url VCID-htee-x1mv-sfhh

vulnerability_id VCID-htee-x1mv-sfhh

summary An issue was discovered in Pillow before 8.2.0. For EPS data, the readline implementation used in EPSImageFile has to deal with any combination of \r and \n as line endings. It used an accidentally quadratic method of accumulating lines while looking for a line ending. A malicious EPS file could use this to perform a DoS of Pillow in the open phase, before an image was accepted for opening.

references

reference_url	https://github.com/advisories/GHSA-q5hq-fp76-qmrc
reference_id
reference_type
scores
url	https://github.com/advisories/GHSA-q5hq-fp76-qmrc

reference_url	https://github.com/python-pillow/Pillow/pull/5377
reference_id
reference_type
scores
url	https://github.com/python-pillow/Pillow/pull/5377

reference_url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL/
reference_id
reference_type
scores
url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL/

reference_url	https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28677-fix-eps-dos-on-open
reference_id
reference_type
scores
url	https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28677-fix-eps-dos-on-open

fixed_packages

url pkg:pypi/pillow@8.2.0

purl pkg:pypi/pillow@8.2.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2gpf-94cu-6fcd

vulnerability	VCID-4tub-w66m-uyfu

vulnerability	VCID-7ya3-j9fa-zugj

vulnerability	VCID-9hza-srk7-sucy

vulnerability	VCID-d4dx-wbrv-gqaa

vulnerability	VCID-dkcx-xcb8-3fgj

vulnerability	VCID-q8fz-36n2-vfh2

vulnerability	VCID-vx7b-mwfx-5fg2

vulnerability	VCID-wfzw-3x26-tucg

vulnerability	VCID-x3bz-ehvb-jyfs

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pillow@8.2.0

aliases CVE-2021-28677, GHSA-q5hq-fp76-qmrc, PYSEC-2021-93

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-htee-x1mv-sfhh

url VCID-prvn-bejg-kufb

vulnerability_id VCID-prvn-bejg-kufb

summary An issue was discovered in Pillow before 8.2.0. There is an out-of-bounds read in J2kDecode, in j2ku_gray_i.

references

reference_url	https://github.com/advisories/GHSA-rwv7-3v45-hg29
reference_id
reference_type
scores
url	https://github.com/advisories/GHSA-rwv7-3v45-hg29

reference_url	https://github.com/python-pillow/Pillow/pull/5377#issuecomment-833821470
reference_id
reference_type
scores
url	https://github.com/python-pillow/Pillow/pull/5377#issuecomment-833821470

reference_url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL/
reference_id
reference_type
scores
url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL/

reference_url	https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-25287-cve-2021-25288-fix-oob-read-in-jpeg2kdecode
reference_id
reference_type
scores
url	https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-25287-cve-2021-25288-fix-oob-read-in-jpeg2kdecode

fixed_packages

url pkg:pypi/pillow@8.2.0

purl pkg:pypi/pillow@8.2.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2gpf-94cu-6fcd

vulnerability	VCID-4tub-w66m-uyfu

vulnerability	VCID-7ya3-j9fa-zugj

vulnerability	VCID-9hza-srk7-sucy

vulnerability	VCID-d4dx-wbrv-gqaa

vulnerability	VCID-dkcx-xcb8-3fgj

vulnerability	VCID-q8fz-36n2-vfh2

vulnerability	VCID-vx7b-mwfx-5fg2

vulnerability	VCID-wfzw-3x26-tucg

vulnerability	VCID-x3bz-ehvb-jyfs

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pillow@8.2.0

aliases CVE-2021-25288, GHSA-rwv7-3v45-hg29, PYSEC-2021-138

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-prvn-bejg-kufb

url VCID-q8fz-36n2-vfh2

vulnerability_id VCID-q8fz-36n2-vfh2

summary Pillow before 9.0.1 allows attackers to delete files because spaces in temporary pathnames are mishandled.

references

reference_url	https://github.com/advisories/GHSA-9j59-75qj-795w
reference_id
reference_type
scores
url	https://github.com/advisories/GHSA-9j59-75qj-795w

reference_url	https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2022-168.yaml
reference_id
reference_type
scores
url	https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2022-168.yaml

reference_url	https://github.com/python-pillow/Pillow
reference_id
reference_type
scores
url	https://github.com/python-pillow/Pillow

reference_url	https://github.com/python-pillow/Pillow/blob/e8ab5640774716c5486d3cb05167f74f742ad6ef/CHANGES.rst?plain=1#L1172
reference_id
reference_type
scores
url	https://github.com/python-pillow/Pillow/blob/e8ab5640774716c5486d3cb05167f74f742ad6ef/CHANGES.rst?plain=1#L1172

reference_url	https://github.com/python-pillow/Pillow/commit/10c4f75aaa383bd9671e923e3b91d391ea12d781
reference_id
reference_type
scores
url	https://github.com/python-pillow/Pillow/commit/10c4f75aaa383bd9671e923e3b91d391ea12d781

reference_url	https://github.com/python-pillow/Pillow/commit/143032103c9f2d55a0a7960bd3e630cb72549e8a
reference_id
reference_type
scores
url	https://github.com/python-pillow/Pillow/commit/143032103c9f2d55a0a7960bd3e630cb72549e8a

reference_url	https://github.com/python-pillow/Pillow/commit/427221ef5f19157001bf8b1ad7cfe0b905ca8c26
reference_id
reference_type
scores
url	https://github.com/python-pillow/Pillow/commit/427221ef5f19157001bf8b1ad7cfe0b905ca8c26

reference_url	https://github.com/python-pillow/Pillow/pull/3450
reference_id
reference_type
scores
url	https://github.com/python-pillow/Pillow/pull/3450

reference_url	https://github.com/python-pillow/Pillow/pull/6010
reference_id
reference_type
scores
url	https://github.com/python-pillow/Pillow/pull/6010

reference_url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W4ZUXPKEX72O3E5IHBPVY5ZCPMJ4GHHV
reference_id
reference_type
scores
url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W4ZUXPKEX72O3E5IHBPVY5ZCPMJ4GHHV

reference_url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XR6UP2XONXOVXI4446VY72R63YRO2YTP
reference_id
reference_type
scores
url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XR6UP2XONXOVXI4446VY72R63YRO2YTP

reference_url	https://pillow.readthedocs.io/en/stable/releasenotes/9.0.1.html#security
reference_id
reference_type
scores
url	https://pillow.readthedocs.io/en/stable/releasenotes/9.0.1.html#security

reference_url	https://security.gentoo.org/glsa/202211-10
reference_id
reference_type
scores
url	https://security.gentoo.org/glsa/202211-10

reference_url	https://nvd.nist.gov/vuln/detail/CVE-2022-24303
reference_id	CVE-2022-24303
reference_type
scores
url	https://nvd.nist.gov/vuln/detail/CVE-2022-24303

fixed_packages

url pkg:pypi/pillow@9.0.1

purl pkg:pypi/pillow@9.0.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4tub-w66m-uyfu

vulnerability	VCID-9hza-srk7-sucy

vulnerability	VCID-vx7b-mwfx-5fg2

vulnerability	VCID-x3bz-ehvb-jyfs

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pillow@9.0.1

aliases CVE-2022-24303, GHSA-9j59-75qj-795w, GMS-2022-348, PYSEC-2022-168

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-q8fz-36n2-vfh2

url VCID-qbfa-rky7-juh5

vulnerability_id VCID-qbfa-rky7-juh5

summary An issue was discovered in Pillow before 8.2.0. For FLI data, FliDecode did not properly check that the block advance was non-zero, potentially leading to an infinite loop on load.

references

reference_url	https://github.com/advisories/GHSA-7r7m-5h27-29hp
reference_id
reference_type
scores
url	https://github.com/advisories/GHSA-7r7m-5h27-29hp

reference_url	https://github.com/python-pillow/Pillow/pull/5377
reference_id
reference_type
scores
url	https://github.com/python-pillow/Pillow/pull/5377

reference_url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL/
reference_id
reference_type
scores
url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL/

reference_url	https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28676-fix-fli-dos
reference_id
reference_type
scores
url	https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28676-fix-fli-dos

fixed_packages

url pkg:pypi/pillow@8.2.0

purl pkg:pypi/pillow@8.2.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2gpf-94cu-6fcd

vulnerability	VCID-4tub-w66m-uyfu

vulnerability	VCID-7ya3-j9fa-zugj

vulnerability	VCID-9hza-srk7-sucy

vulnerability	VCID-d4dx-wbrv-gqaa

vulnerability	VCID-dkcx-xcb8-3fgj

vulnerability	VCID-q8fz-36n2-vfh2

vulnerability	VCID-vx7b-mwfx-5fg2

vulnerability	VCID-wfzw-3x26-tucg

vulnerability	VCID-x3bz-ehvb-jyfs

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pillow@8.2.0

aliases CVE-2021-28676, GHSA-7r7m-5h27-29hp, PYSEC-2021-92

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-qbfa-rky7-juh5

url VCID-tcda-8txy-7ygn

vulnerability_id VCID-tcda-8txy-7ygn

summary An issue was discovered in Pillow before 8.2.0. For BLP data, BlpImagePlugin did not properly check that reads (after jumping to file offsets) returned data. This could lead to a DoS where the decoder could be run a large number of times on empty data.

references

reference_url	https://github.com/advisories/GHSA-hjfx-8p6c-g7gx
reference_id
reference_type
scores
url	https://github.com/advisories/GHSA-hjfx-8p6c-g7gx

reference_url	https://github.com/python-pillow/Pillow/pull/5377
reference_id
reference_type
scores
url	https://github.com/python-pillow/Pillow/pull/5377

reference_url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL/
reference_id
reference_type
scores
url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL/

reference_url	https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28678-fix-blp-dos
reference_id
reference_type
scores
url	https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28678-fix-blp-dos

fixed_packages

url pkg:pypi/pillow@8.2.0

purl pkg:pypi/pillow@8.2.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2gpf-94cu-6fcd

vulnerability	VCID-4tub-w66m-uyfu

vulnerability	VCID-7ya3-j9fa-zugj

vulnerability	VCID-9hza-srk7-sucy

vulnerability	VCID-d4dx-wbrv-gqaa

vulnerability	VCID-dkcx-xcb8-3fgj

vulnerability	VCID-q8fz-36n2-vfh2

vulnerability	VCID-vx7b-mwfx-5fg2

vulnerability	VCID-wfzw-3x26-tucg

vulnerability	VCID-x3bz-ehvb-jyfs

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pillow@8.2.0

aliases CVE-2021-28678, GHSA-hjfx-8p6c-g7gx, PYSEC-2021-94

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-tcda-8txy-7ygn

url VCID-vx7b-mwfx-5fg2

vulnerability_id VCID-vx7b-mwfx-5fg2

summary Pillow before 9.2.0 performs Improper Handling of Highly Compressed GIF Data (Data Amplification).

references

reference_url	https://bugs.gentoo.org/855683
reference_id
reference_type
scores
url	https://bugs.gentoo.org/855683

reference_url	https://cwe.mitre.org/data/definitions/409.html
reference_id
reference_type
scores
url	https://cwe.mitre.org/data/definitions/409.html

reference_url	https://github.com/python-pillow/Pillow/commit/11918eac0628ec8ac0812670d9838361ead2d6a4
reference_id
reference_type
scores
url	https://github.com/python-pillow/Pillow/commit/11918eac0628ec8ac0812670d9838361ead2d6a4

reference_url	https://github.com/python-pillow/Pillow/pull/6402
reference_id
reference_type
scores
url	https://github.com/python-pillow/Pillow/pull/6402

reference_url	https://github.com/python-pillow/Pillow/releases/tag/9.2.0
reference_id
reference_type
scores
url	https://github.com/python-pillow/Pillow/releases/tag/9.2.0

fixed_packages

url pkg:pypi/pillow@9.2.0

purl pkg:pypi/pillow@9.2.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4tub-w66m-uyfu

vulnerability	VCID-9hza-srk7-sucy

vulnerability	VCID-q325-dhha-83b2

vulnerability	VCID-x3bz-ehvb-jyfs

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pillow@9.2.0

aliases CVE-2022-45198, PYSEC-2022-42979

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-vx7b-mwfx-5fg2

url VCID-wfzw-3x26-tucg

vulnerability_id VCID-wfzw-3x26-tucg

summary path_getbbox in path.c in Pillow before 9.0.0 has a buffer over-read during initialization of ImagePath.Path.

references

reference_url	https://github.com/advisories/GHSA-xrcv-f9gm-v42c
reference_id
reference_type
scores
url	https://github.com/advisories/GHSA-xrcv-f9gm-v42c

reference_url	https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2022-9.yaml
reference_id
reference_type
scores
url	https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2022-9.yaml

reference_url	https://github.com/python-pillow/Pillow
reference_id
reference_type
scores
url	https://github.com/python-pillow/Pillow

reference_url	https://github.com/python-pillow/Pillow/blob/c5d9223a8b5e9295d15b5a9b1ef1dae44c8499f3/src/path.c#L331
reference_id
reference_type
scores
url	https://github.com/python-pillow/Pillow/blob/c5d9223a8b5e9295d15b5a9b1ef1dae44c8499f3/src/path.c#L331

reference_url	https://github.com/python-pillow/Pillow/commit/5543e4e2d409cd9e409bc64cdc77be0af007a31f
reference_id
reference_type
scores
url	https://github.com/python-pillow/Pillow/commit/5543e4e2d409cd9e409bc64cdc77be0af007a31f

reference_url	https://github.com/python-pillow/Pillow/pull/5920
reference_id
reference_type
scores
url	https://github.com/python-pillow/Pillow/pull/5920

reference_url	https://lists.debian.org/debian-lts-announce/2022/01/msg00018.html
reference_id
reference_type
scores
url	https://lists.debian.org/debian-lts-announce/2022/01/msg00018.html

reference_url	https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#fixed-imagepath-path-array-handling
reference_id
reference_type
scores
url	https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#fixed-imagepath-path-array-handling

reference_url	https://security.gentoo.org/glsa/202211-10
reference_id
reference_type
scores
url	https://security.gentoo.org/glsa/202211-10

reference_url	https://www.debian.org/security/2022/dsa-5053
reference_id
reference_type
scores
url	https://www.debian.org/security/2022/dsa-5053

reference_url	https://nvd.nist.gov/vuln/detail/CVE-2022-22816
reference_id	CVE-2022-22816
reference_type
scores
url	https://nvd.nist.gov/vuln/detail/CVE-2022-22816

fixed_packages

url pkg:pypi/pillow@9.0.0

purl pkg:pypi/pillow@9.0.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4tub-w66m-uyfu

vulnerability	VCID-9hza-srk7-sucy

vulnerability	VCID-q8fz-36n2-vfh2

vulnerability	VCID-vx7b-mwfx-5fg2

vulnerability	VCID-x3bz-ehvb-jyfs

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pillow@9.0.0

aliases CVE-2022-22816, GHSA-xrcv-f9gm-v42c, PYSEC-2022-9

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-wfzw-3x26-tucg

url VCID-x3bz-ehvb-jyfs

vulnerability_id VCID-x3bz-ehvb-jyfs

summary An issue was discovered in Pillow before 10.0.0. It is a Denial of Service that uncontrollably allocates memory to process a given task, potentially causing a service to crash by having it run out of memory. This occurs for truetype in ImageFont when textlength in an ImageDraw instance operates on a long text argument.

references

reference_url	https://devhub.checkmarx.com/cve-details/CVE-2023-44271/
reference_id
reference_type
scores
url	https://devhub.checkmarx.com/cve-details/CVE-2023-44271/

reference_url	https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2023-227.yaml
reference_id
reference_type
scores
url	https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2023-227.yaml

reference_url	https://github.com/python-pillow/Pillow
reference_id
reference_type
scores
url	https://github.com/python-pillow/Pillow

reference_url	https://github.com/python-pillow/Pillow/commit/1fe1bb49c452b0318cad12ea9d97c3bef188e9a7
reference_id
reference_type
scores
url	https://github.com/python-pillow/Pillow/commit/1fe1bb49c452b0318cad12ea9d97c3bef188e9a7

reference_url	https://github.com/python-pillow/Pillow/pull/7244
reference_id
reference_type
scores
url	https://github.com/python-pillow/Pillow/pull/7244

reference_url	https://lists.debian.org/debian-lts-announce/2024/03/msg00021.html
reference_id
reference_type
scores
url	https://lists.debian.org/debian-lts-announce/2024/03/msg00021.html

reference_url	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N2JOEDUJDQLCUII2LQYZYSM7RJL2I3P4
reference_id
reference_type
scores
url	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N2JOEDUJDQLCUII2LQYZYSM7RJL2I3P4

reference_url	https://devhub.checkmarx.com/cve-details/CVE-2023-44271
reference_id	CVE-2023-44271
reference_type
scores
url	https://devhub.checkmarx.com/cve-details/CVE-2023-44271

reference_url	https://nvd.nist.gov/vuln/detail/CVE-2023-44271
reference_id	CVE-2023-44271
reference_type
scores
url	https://nvd.nist.gov/vuln/detail/CVE-2023-44271

reference_url	https://github.com/advisories/GHSA-8ghj-p4vj-mr35
reference_id	GHSA-8ghj-p4vj-mr35
reference_type
scores
url	https://github.com/advisories/GHSA-8ghj-p4vj-mr35

fixed_packages

url pkg:pypi/pillow@10.0.0

purl pkg:pypi/pillow@10.0.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4tub-w66m-uyfu

vulnerability	VCID-9hza-srk7-sucy

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pillow@10.0.0

aliases CVE-2023-44271, GHSA-8ghj-p4vj-mr35, PYSEC-2023-227

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-x3bz-ehvb-jyfs

Fixing_vulnerabilities

url VCID-3gam-zy4w-2ucr

vulnerability_id VCID-3gam-zy4w-2ucr

summary Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICO container, and thus an attempted memory allocation can be very large.

references

reference_url	https://github.com/advisories/GHSA-95q3-8gr9-gm8w
reference_id
reference_type
scores
url	https://github.com/advisories/GHSA-95q3-8gr9-gm8w

reference_url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S7G44Z33J4BNI2DPDROHWGVG2U7ZH5JU/
reference_id
reference_type
scores
url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S7G44Z33J4BNI2DPDROHWGVG2U7ZH5JU/

reference_url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TQQY6472RX4J2SUJENWDZAWKTJJGP2ML/
reference_id
reference_type
scores
url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TQQY6472RX4J2SUJENWDZAWKTJJGP2ML/

reference_url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZTSY25UJU7NJUFHH3HWT575LT4TDFWBZ/
reference_id
reference_type
scores
url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZTSY25UJU7NJUFHH3HWT575LT4TDFWBZ/

reference_url	https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html
reference_id
reference_type
scores
url	https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html

fixed_packages

url pkg:pypi/pillow@8.1.1

purl pkg:pypi/pillow@8.1.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2gpf-94cu-6fcd

vulnerability	VCID-4tub-w66m-uyfu

vulnerability	VCID-7ya3-j9fa-zugj

vulnerability	VCID-9hza-srk7-sucy

vulnerability	VCID-d4dx-wbrv-gqaa

vulnerability	VCID-dkcx-xcb8-3fgj

vulnerability	VCID-fq9j-ntxd-t3b3

vulnerability	VCID-gve2-x5zh-gqha

vulnerability	VCID-htee-x1mv-sfhh

vulnerability	VCID-prvn-bejg-kufb

vulnerability	VCID-q8fz-36n2-vfh2

vulnerability	VCID-qbfa-rky7-juh5

vulnerability	VCID-tcda-8txy-7ygn

vulnerability	VCID-vx7b-mwfx-5fg2

vulnerability	VCID-wfzw-3x26-tucg

vulnerability	VCID-x3bz-ehvb-jyfs

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pillow@8.1.1

aliases CVE-2021-27923, GHSA-95q3-8gr9-gm8w, PYSEC-2021-42

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-3gam-zy4w-2ucr

url VCID-5h45-rcpb-q7bz

vulnerability_id VCID-5h45-rcpb-q7bz

summary An issue was discovered in Pillow before 8.1.1. TiffDecode has a heap-based buffer overflow when decoding crafted YCbCr files because of certain interpretation conflicts with LibTIFF in RGBA mode. NOTE: this issue exists because of an incomplete fix for CVE-2020-35654.

references

reference_url	https://github.com/advisories/GHSA-57h3-9rgr-c24m
reference_id
reference_type
scores
url	https://github.com/advisories/GHSA-57h3-9rgr-c24m

reference_url	https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html
reference_id
reference_type
scores
url	https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html

fixed_packages

url pkg:pypi/pillow@8.1.1

purl pkg:pypi/pillow@8.1.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2gpf-94cu-6fcd

vulnerability	VCID-4tub-w66m-uyfu

vulnerability	VCID-7ya3-j9fa-zugj

vulnerability	VCID-9hza-srk7-sucy

vulnerability	VCID-d4dx-wbrv-gqaa

vulnerability	VCID-dkcx-xcb8-3fgj

vulnerability	VCID-fq9j-ntxd-t3b3

vulnerability	VCID-gve2-x5zh-gqha

vulnerability	VCID-htee-x1mv-sfhh

vulnerability	VCID-prvn-bejg-kufb

vulnerability	VCID-q8fz-36n2-vfh2

vulnerability	VCID-qbfa-rky7-juh5

vulnerability	VCID-tcda-8txy-7ygn

vulnerability	VCID-vx7b-mwfx-5fg2

vulnerability	VCID-wfzw-3x26-tucg

vulnerability	VCID-x3bz-ehvb-jyfs

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pillow@8.1.1

aliases CVE-2021-25289, GHSA-57h3-9rgr-c24m, PYSEC-2021-35

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-5h45-rcpb-q7bz

url VCID-8z6g-5td3-g7ej

vulnerability_id VCID-8z6g-5td3-g7ej

summary An issue was discovered in Pillow before 8.1.1. There is an out-of-bounds read in SGIRleDecode.c.

references

reference_url	https://github.com/advisories/GHSA-p43w-g3c5-g5mq
reference_id
reference_type
scores
url	https://github.com/advisories/GHSA-p43w-g3c5-g5mq

reference_url	https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html
reference_id
reference_type
scores
url	https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html

fixed_packages

url pkg:pypi/pillow@8.1.1

purl pkg:pypi/pillow@8.1.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2gpf-94cu-6fcd

vulnerability	VCID-4tub-w66m-uyfu

vulnerability	VCID-7ya3-j9fa-zugj

vulnerability	VCID-9hza-srk7-sucy

vulnerability	VCID-d4dx-wbrv-gqaa

vulnerability	VCID-dkcx-xcb8-3fgj

vulnerability	VCID-fq9j-ntxd-t3b3

vulnerability	VCID-gve2-x5zh-gqha

vulnerability	VCID-htee-x1mv-sfhh

vulnerability	VCID-prvn-bejg-kufb

vulnerability	VCID-q8fz-36n2-vfh2

vulnerability	VCID-qbfa-rky7-juh5

vulnerability	VCID-tcda-8txy-7ygn

vulnerability	VCID-vx7b-mwfx-5fg2

vulnerability	VCID-wfzw-3x26-tucg

vulnerability	VCID-x3bz-ehvb-jyfs

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pillow@8.1.1

aliases CVE-2021-25293, GHSA-p43w-g3c5-g5mq, PYSEC-2021-39

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-8z6g-5td3-g7ej

url VCID-g48w-36yx-tue3

vulnerability_id VCID-g48w-36yx-tue3

summary Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for a BLP container, and thus an attempted memory allocation can be very large.

references

reference_url	https://github.com/advisories/GHSA-f4w8-cv6p-x6r5
reference_id
reference_type
scores
url	https://github.com/advisories/GHSA-f4w8-cv6p-x6r5

reference_url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S7G44Z33J4BNI2DPDROHWGVG2U7ZH5JU/
reference_id
reference_type
scores
url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S7G44Z33J4BNI2DPDROHWGVG2U7ZH5JU/

reference_url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TQQY6472RX4J2SUJENWDZAWKTJJGP2ML/
reference_id
reference_type
scores
url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TQQY6472RX4J2SUJENWDZAWKTJJGP2ML/

reference_url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZTSY25UJU7NJUFHH3HWT575LT4TDFWBZ/
reference_id
reference_type
scores
url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZTSY25UJU7NJUFHH3HWT575LT4TDFWBZ/

reference_url	https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html
reference_id
reference_type
scores
url	https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html

fixed_packages

url pkg:pypi/pillow@8.1.1

purl pkg:pypi/pillow@8.1.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2gpf-94cu-6fcd

vulnerability	VCID-4tub-w66m-uyfu

vulnerability	VCID-7ya3-j9fa-zugj

vulnerability	VCID-9hza-srk7-sucy

vulnerability	VCID-d4dx-wbrv-gqaa

vulnerability	VCID-dkcx-xcb8-3fgj

vulnerability	VCID-fq9j-ntxd-t3b3

vulnerability	VCID-gve2-x5zh-gqha

vulnerability	VCID-htee-x1mv-sfhh

vulnerability	VCID-prvn-bejg-kufb

vulnerability	VCID-q8fz-36n2-vfh2

vulnerability	VCID-qbfa-rky7-juh5

vulnerability	VCID-tcda-8txy-7ygn

vulnerability	VCID-vx7b-mwfx-5fg2

vulnerability	VCID-wfzw-3x26-tucg

vulnerability	VCID-x3bz-ehvb-jyfs

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pillow@8.1.1

aliases CVE-2021-27921, GHSA-f4w8-cv6p-x6r5, PYSEC-2021-40

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-g48w-36yx-tue3

url VCID-qz6s-pjqj-7uet

vulnerability_id VCID-qz6s-pjqj-7uet

summary An issue was discovered in Pillow before 8.1.1. In TiffDecode.c, there is a negative-offset memcpy with an invalid size.

references

reference_url	https://github.com/advisories/GHSA-8xjq-8fcg-g5hw
reference_id
reference_type
scores
url	https://github.com/advisories/GHSA-8xjq-8fcg-g5hw

reference_url	https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html
reference_id
reference_type
scores
url	https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html

fixed_packages

url pkg:pypi/pillow@8.1.1

purl pkg:pypi/pillow@8.1.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2gpf-94cu-6fcd

vulnerability	VCID-4tub-w66m-uyfu

vulnerability	VCID-7ya3-j9fa-zugj

vulnerability	VCID-9hza-srk7-sucy

vulnerability	VCID-d4dx-wbrv-gqaa

vulnerability	VCID-dkcx-xcb8-3fgj

vulnerability	VCID-fq9j-ntxd-t3b3

vulnerability	VCID-gve2-x5zh-gqha

vulnerability	VCID-htee-x1mv-sfhh

vulnerability	VCID-prvn-bejg-kufb

vulnerability	VCID-q8fz-36n2-vfh2

vulnerability	VCID-qbfa-rky7-juh5

vulnerability	VCID-tcda-8txy-7ygn

vulnerability	VCID-vx7b-mwfx-5fg2

vulnerability	VCID-wfzw-3x26-tucg

vulnerability	VCID-x3bz-ehvb-jyfs

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pillow@8.1.1

aliases CVE-2021-25290, GHSA-8xjq-8fcg-g5hw, PYSEC-2021-36

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-qz6s-pjqj-7uet

url VCID-wuv4-qn69-zygh

vulnerability_id VCID-wuv4-qn69-zygh

summary An issue was discovered in Pillow before 8.1.1. The PDF parser allows a regular expression DoS (ReDoS) attack via a crafted PDF file because of a catastrophic backtracking regex.

references

reference_url	https://github.com/advisories/GHSA-9hx2-hgq2-2g4f
reference_id
reference_type
scores
url	https://github.com/advisories/GHSA-9hx2-hgq2-2g4f

reference_url	https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html
reference_id
reference_type
scores
url	https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html

fixed_packages

url pkg:pypi/pillow@8.1.1

purl pkg:pypi/pillow@8.1.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2gpf-94cu-6fcd

vulnerability	VCID-4tub-w66m-uyfu

vulnerability	VCID-7ya3-j9fa-zugj

vulnerability	VCID-9hza-srk7-sucy

vulnerability	VCID-d4dx-wbrv-gqaa

vulnerability	VCID-dkcx-xcb8-3fgj

vulnerability	VCID-fq9j-ntxd-t3b3

vulnerability	VCID-gve2-x5zh-gqha

vulnerability	VCID-htee-x1mv-sfhh

vulnerability	VCID-prvn-bejg-kufb

vulnerability	VCID-q8fz-36n2-vfh2

vulnerability	VCID-qbfa-rky7-juh5

vulnerability	VCID-tcda-8txy-7ygn

vulnerability	VCID-vx7b-mwfx-5fg2

vulnerability	VCID-wfzw-3x26-tucg

vulnerability	VCID-x3bz-ehvb-jyfs

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pillow@8.1.1

aliases CVE-2021-25292, GHSA-9hx2-hgq2-2g4f, PYSEC-2021-38

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-wuv4-qn69-zygh

url VCID-yk5x-nt2m-5kgy

vulnerability_id VCID-yk5x-nt2m-5kgy

summary An issue was discovered in Pillow before 8.1.1. In TiffDecode.c, there is an out-of-bounds read in TiffreadRGBATile via invalid tile boundaries.

references

reference_url	https://github.com/advisories/GHSA-mvg9-xffr-p774
reference_id
reference_type
scores
url	https://github.com/advisories/GHSA-mvg9-xffr-p774

reference_url	https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html
reference_id
reference_type
scores
url	https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html

fixed_packages

url pkg:pypi/pillow@8.1.1

purl pkg:pypi/pillow@8.1.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2gpf-94cu-6fcd

vulnerability	VCID-4tub-w66m-uyfu

vulnerability	VCID-7ya3-j9fa-zugj

vulnerability	VCID-9hza-srk7-sucy

vulnerability	VCID-d4dx-wbrv-gqaa

vulnerability	VCID-dkcx-xcb8-3fgj

vulnerability	VCID-fq9j-ntxd-t3b3

vulnerability	VCID-gve2-x5zh-gqha

vulnerability	VCID-htee-x1mv-sfhh

vulnerability	VCID-prvn-bejg-kufb

vulnerability	VCID-q8fz-36n2-vfh2

vulnerability	VCID-qbfa-rky7-juh5

vulnerability	VCID-tcda-8txy-7ygn

vulnerability	VCID-vx7b-mwfx-5fg2

vulnerability	VCID-wfzw-3x26-tucg

vulnerability	VCID-x3bz-ehvb-jyfs

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pillow@8.1.1

aliases CVE-2021-25291, GHSA-mvg9-xffr-p774, PYSEC-2021-37

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-yk5x-nt2m-5kgy

url VCID-zsxq-dasb-qyex

vulnerability_id VCID-zsxq-dasb-qyex

summary Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICNS container, and thus an attempted memory allocation can be very large.

references

reference_url	https://github.com/advisories/GHSA-3wvg-mj6g-m9cv
reference_id
reference_type
scores
url	https://github.com/advisories/GHSA-3wvg-mj6g-m9cv

reference_url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S7G44Z33J4BNI2DPDROHWGVG2U7ZH5JU/
reference_id
reference_type
scores
url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S7G44Z33J4BNI2DPDROHWGVG2U7ZH5JU/

reference_url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TQQY6472RX4J2SUJENWDZAWKTJJGP2ML/
reference_id
reference_type
scores
url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TQQY6472RX4J2SUJENWDZAWKTJJGP2ML/

reference_url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZTSY25UJU7NJUFHH3HWT575LT4TDFWBZ/
reference_id
reference_type
scores
url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZTSY25UJU7NJUFHH3HWT575LT4TDFWBZ/

reference_url	https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html
reference_id
reference_type
scores
url	https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html

fixed_packages

url pkg:pypi/pillow@8.1.1

purl pkg:pypi/pillow@8.1.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2gpf-94cu-6fcd

vulnerability	VCID-4tub-w66m-uyfu

vulnerability	VCID-7ya3-j9fa-zugj

vulnerability	VCID-9hza-srk7-sucy

vulnerability	VCID-d4dx-wbrv-gqaa

vulnerability	VCID-dkcx-xcb8-3fgj

vulnerability	VCID-fq9j-ntxd-t3b3

vulnerability	VCID-gve2-x5zh-gqha

vulnerability	VCID-htee-x1mv-sfhh

vulnerability	VCID-prvn-bejg-kufb

vulnerability	VCID-q8fz-36n2-vfh2

vulnerability	VCID-qbfa-rky7-juh5

vulnerability	VCID-tcda-8txy-7ygn

vulnerability	VCID-vx7b-mwfx-5fg2

vulnerability	VCID-wfzw-3x26-tucg

vulnerability	VCID-x3bz-ehvb-jyfs

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pillow@8.1.1

aliases CVE-2021-27922, GHSA-3wvg-mj6g-m9cv, PYSEC-2021-41

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-zsxq-dasb-qyex

Risk_score null

Resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pillow@8.1.1

Package Instance