VulnerableCode Vulnerability Details

Search for vulnerabilities

Vulnerability details: VCID-9865-t7wz-gqgw

Essentials
Severities (48)
References (18)
Severity details (23)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-9865-t7wz-gqgw
Aliases	CVE-2016-9189 GHSA-rwr3-c2q8-gm56 PYSEC-2016-8
Summary	Pillow before 3.3.2 allows context-dependent attackers to obtain sensitive information by using the "crafted image file" approach, related to an "Integer Overflow" issue affecting the Image.core.map_buffer in map.c component.
Status	Published
Exploitability	0.5
Weighted Severity	6.2
Risk	3.1
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-190	Integer Overflow or Wraparound
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
cvssv3.1	5.5	http://pillow.readthedocs.io/en/3.4.x/releasenotes/3.3.2.html
generic_textual	MODERATE	http://pillow.readthedocs.io/en/3.4.x/releasenotes/3.3.2.html
cvssv3	6.5	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-9189.json
epss	0.00358	https://api.first.org/data/v1/epss?cve=CVE-2016-9189
epss	0.00358	https://api.first.org/data/v1/epss?cve=CVE-2016-9189
epss	0.00358	https://api.first.org/data/v1/epss?cve=CVE-2016-9189
epss	0.00358	https://api.first.org/data/v1/epss?cve=CVE-2016-9189
epss	0.00358	https://api.first.org/data/v1/epss?cve=CVE-2016-9189
epss	0.00358	https://api.first.org/data/v1/epss?cve=CVE-2016-9189
epss	0.00358	https://api.first.org/data/v1/epss?cve=CVE-2016-9189
epss	0.00358	https://api.first.org/data/v1/epss?cve=CVE-2016-9189
epss	0.00358	https://api.first.org/data/v1/epss?cve=CVE-2016-9189
epss	0.00358	https://api.first.org/data/v1/epss?cve=CVE-2016-9189
epss	0.00358	https://api.first.org/data/v1/epss?cve=CVE-2016-9189
epss	0.00358	https://api.first.org/data/v1/epss?cve=CVE-2016-9189
epss	0.00358	https://api.first.org/data/v1/epss?cve=CVE-2016-9189
epss	0.00358	https://api.first.org/data/v1/epss?cve=CVE-2016-9189
epss	0.00358	https://api.first.org/data/v1/epss?cve=CVE-2016-9189
epss	0.00358	https://api.first.org/data/v1/epss?cve=CVE-2016-9189
epss	0.00358	https://api.first.org/data/v1/epss?cve=CVE-2016-9189
epss	0.00358	https://api.first.org/data/v1/epss?cve=CVE-2016-9189
epss	0.00358	https://api.first.org/data/v1/epss?cve=CVE-2016-9189
epss	0.00358	https://api.first.org/data/v1/epss?cve=CVE-2016-9189
epss	0.00358	https://api.first.org/data/v1/epss?cve=CVE-2016-9189
epss	0.00358	https://api.first.org/data/v1/epss?cve=CVE-2016-9189
epss	0.00358	https://api.first.org/data/v1/epss?cve=CVE-2016-9189
epss	0.00358	https://api.first.org/data/v1/epss?cve=CVE-2016-9189
epss	0.00358	https://api.first.org/data/v1/epss?cve=CVE-2016-9189
cvssv2	4.3	https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1	5.5	https://github.com/advisories/GHSA-rwr3-c2q8-gm56
cvssv3.1_qr	MODERATE	https://github.com/advisories/GHSA-rwr3-c2q8-gm56
generic_textual	MODERATE	https://github.com/advisories/GHSA-rwr3-c2q8-gm56
cvssv3.1	5.5	https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2016-8.yaml
generic_textual	MODERATE	https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2016-8.yaml
cvssv3.1	5.5	https://github.com/python-pillow/Pillow
generic_textual	MODERATE	https://github.com/python-pillow/Pillow
cvssv3.1	5.5	https://github.com/python-pillow/Pillow/issues/2105
generic_textual	MODERATE	https://github.com/python-pillow/Pillow/issues/2105
cvssv3.1	5.5	https://github.com/python-pillow/Pillow/pull/2146/commits/c50ebe6459a131a1ea8ca531f10da616d3ceaa0f
generic_textual	MODERATE	https://github.com/python-pillow/Pillow/pull/2146/commits/c50ebe6459a131a1ea8ca531f10da616d3ceaa0f
cvssv3.1	5.5	https://nvd.nist.gov/vuln/detail/CVE-2016-9189
generic_textual	MODERATE	https://nvd.nist.gov/vuln/detail/CVE-2016-9189
cvssv3.1	5.5	https://security.gentoo.org/glsa/201612-52
generic_textual	MODERATE	https://security.gentoo.org/glsa/201612-52
cvssv3.1	5.5	http://www.debian.org/security/2016/dsa-3710
generic_textual	MODERATE	http://www.debian.org/security/2016/dsa-3710
cvssv3.1	5.5	http://www.securityfocus.com/bid/94234
generic_textual	MODERATE	http://www.securityfocus.com/bid/94234

Reference id	Reference type	URL
		http://pillow.readthedocs.io/en/3.4.x/releasenotes/3.3.2.html
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-9189.json
		https://api.first.org/data/v1/epss?cve=CVE-2016-9189
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9189
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9190
		https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
		https://github.com/advisories/GHSA-rwr3-c2q8-gm56
		https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2016-8.yaml
		https://github.com/python-pillow/Pillow
		https://github.com/python-pillow/Pillow/issues/2105
		https://github.com/python-pillow/Pillow/pull/2146/commits/c50ebe6459a131a1ea8ca531f10da616d3ceaa0f
		https://nvd.nist.gov/vuln/detail/CVE-2016-9189
		https://security.gentoo.org/glsa/201612-52
		http://www.debian.org/security/2016/dsa-3710
		http://www.securityfocus.com/bid/94234
1382000		https://bugzilla.redhat.com/show_bug.cgi?id=1382000
USN-3229-1		https://usn.ubuntu.com/3229-1/
USN-3230-1		https://usn.ubuntu.com/3230-1/

No exploits are available.

Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N Found at http://pillow.readthedocs.io/en/3.4.x/releasenotes/3.3.2.html

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-9189.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

Exploitability (E)	Access Vector (AV)	Access Complexity (AC)	Authentication (Au)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
high functional unproven proof_of_concept not_defined	local adjacent_network network	high medium low	multiple single none	none partial complete	none partial complete	none partial complete

Exploitability (E)

Access Vector (AV)

Access Complexity (AC)

Authentication (Au)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

partial

complete

none

partial

complete

none

partial

complete

Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N Found at https://github.com/advisories/GHSA-rwr3-c2q8-gm56

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N Found at https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2016-8.yaml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N Found at https://github.com/python-pillow/Pillow

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N Found at https://github.com/python-pillow/Pillow/issues/2105

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N Found at https://github.com/python-pillow/Pillow/pull/2146/commits/c50ebe6459a131a1ea8ca531f10da616d3ceaa0f

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2016-9189

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N Found at https://security.gentoo.org/glsa/201612-52

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N Found at http://www.debian.org/security/2016/dsa-3710

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N Found at http://www.securityfocus.com/bid/94234

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.57307
EPSS Score	0.00358
Published At	Aug. 6, 2025, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2025-07-31T08:06:03.589776+00:00	Pypa Importer	Import	https://github.com/pypa/advisory-database/blob/main/vulns/pillow/PYSEC-2016-8.yaml	37.0.0