Search for vulnerabilities
Vulnerability details: VCID-r5ua-w32z-aaag
Vulnerability ID VCID-r5ua-w32z-aaag
Aliases CVE-2014-3589
GHSA-cfmr-38g9-f2h7
PYSEC-2014-10
Summary PIL/IcnsImagePlugin.py in Python Imaging Library (PIL) and Pillow before 2.3.2 and 2.5.x before 2.5.2 allows remote attackers to cause a denial of service via a crafted block size.
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (4)
CWE-20 Improper Input Validation
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')
System Score Found at
cvssv3.1 7.5 http://lists.opensuse.org/opensuse-updates/2015-04/msg00056.html
generic_textual MODERATE http://lists.opensuse.org/opensuse-updates/2015-04/msg00056.html
generic_textual Low http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-3589.html
epss 0.01611 https://api.first.org/data/v1/epss?cve=CVE-2014-3589
epss 0.01611 https://api.first.org/data/v1/epss?cve=CVE-2014-3589
epss 0.01611 https://api.first.org/data/v1/epss?cve=CVE-2014-3589
epss 0.01611 https://api.first.org/data/v1/epss?cve=CVE-2014-3589
epss 0.01611 https://api.first.org/data/v1/epss?cve=CVE-2014-3589
epss 0.01611 https://api.first.org/data/v1/epss?cve=CVE-2014-3589
epss 0.01611 https://api.first.org/data/v1/epss?cve=CVE-2014-3589
epss 0.01611 https://api.first.org/data/v1/epss?cve=CVE-2014-3589
epss 0.01611 https://api.first.org/data/v1/epss?cve=CVE-2014-3589
epss 0.01611 https://api.first.org/data/v1/epss?cve=CVE-2014-3589
epss 0.01611 https://api.first.org/data/v1/epss?cve=CVE-2014-3589
epss 0.01611 https://api.first.org/data/v1/epss?cve=CVE-2014-3589
epss 0.01611 https://api.first.org/data/v1/epss?cve=CVE-2014-3589
epss 0.01611 https://api.first.org/data/v1/epss?cve=CVE-2014-3589
epss 0.01611 https://api.first.org/data/v1/epss?cve=CVE-2014-3589
epss 0.01611 https://api.first.org/data/v1/epss?cve=CVE-2014-3589
epss 0.01611 https://api.first.org/data/v1/epss?cve=CVE-2014-3589
epss 0.01611 https://api.first.org/data/v1/epss?cve=CVE-2014-3589
epss 0.01611 https://api.first.org/data/v1/epss?cve=CVE-2014-3589
epss 0.01611 https://api.first.org/data/v1/epss?cve=CVE-2014-3589
epss 0.01611 https://api.first.org/data/v1/epss?cve=CVE-2014-3589
epss 0.01611 https://api.first.org/data/v1/epss?cve=CVE-2014-3589
epss 0.01611 https://api.first.org/data/v1/epss?cve=CVE-2014-3589
epss 0.01611 https://api.first.org/data/v1/epss?cve=CVE-2014-3589
epss 0.01611 https://api.first.org/data/v1/epss?cve=CVE-2014-3589
epss 0.01611 https://api.first.org/data/v1/epss?cve=CVE-2014-3589
epss 0.01611 https://api.first.org/data/v1/epss?cve=CVE-2014-3589
epss 0.01611 https://api.first.org/data/v1/epss?cve=CVE-2014-3589
epss 0.01611 https://api.first.org/data/v1/epss?cve=CVE-2014-3589
epss 0.01611 https://api.first.org/data/v1/epss?cve=CVE-2014-3589
epss 0.01611 https://api.first.org/data/v1/epss?cve=CVE-2014-3589
epss 0.01611 https://api.first.org/data/v1/epss?cve=CVE-2014-3589
epss 0.01611 https://api.first.org/data/v1/epss?cve=CVE-2014-3589
epss 0.01611 https://api.first.org/data/v1/epss?cve=CVE-2014-3589
epss 0.01611 https://api.first.org/data/v1/epss?cve=CVE-2014-3589
epss 0.01611 https://api.first.org/data/v1/epss?cve=CVE-2014-3589
epss 0.01611 https://api.first.org/data/v1/epss?cve=CVE-2014-3589
epss 0.01611 https://api.first.org/data/v1/epss?cve=CVE-2014-3589
epss 0.01611 https://api.first.org/data/v1/epss?cve=CVE-2014-3589
epss 0.01611 https://api.first.org/data/v1/epss?cve=CVE-2014-3589
epss 0.01611 https://api.first.org/data/v1/epss?cve=CVE-2014-3589
epss 0.01611 https://api.first.org/data/v1/epss?cve=CVE-2014-3589
epss 0.01611 https://api.first.org/data/v1/epss?cve=CVE-2014-3589
epss 0.01611 https://api.first.org/data/v1/epss?cve=CVE-2014-3589
epss 0.01611 https://api.first.org/data/v1/epss?cve=CVE-2014-3589
epss 0.01611 https://api.first.org/data/v1/epss?cve=CVE-2014-3589
epss 0.01611 https://api.first.org/data/v1/epss?cve=CVE-2014-3589
epss 0.01611 https://api.first.org/data/v1/epss?cve=CVE-2014-3589
epss 0.01611 https://api.first.org/data/v1/epss?cve=CVE-2014-3589
epss 0.01611 https://api.first.org/data/v1/epss?cve=CVE-2014-3589
epss 0.01611 https://api.first.org/data/v1/epss?cve=CVE-2014-3589
epss 0.01611 https://api.first.org/data/v1/epss?cve=CVE-2014-3589
epss 0.01611 https://api.first.org/data/v1/epss?cve=CVE-2014-3589
epss 0.01611 https://api.first.org/data/v1/epss?cve=CVE-2014-3589
epss 0.01611 https://api.first.org/data/v1/epss?cve=CVE-2014-3589
epss 0.01611 https://api.first.org/data/v1/epss?cve=CVE-2014-3589
epss 0.01611 https://api.first.org/data/v1/epss?cve=CVE-2014-3589
epss 0.01611 https://api.first.org/data/v1/epss?cve=CVE-2014-3589
epss 0.01611 https://api.first.org/data/v1/epss?cve=CVE-2014-3589
epss 0.01611 https://api.first.org/data/v1/epss?cve=CVE-2014-3589
epss 0.01611 https://api.first.org/data/v1/epss?cve=CVE-2014-3589
epss 0.01611 https://api.first.org/data/v1/epss?cve=CVE-2014-3589
epss 0.01611 https://api.first.org/data/v1/epss?cve=CVE-2014-3589
epss 0.01611 https://api.first.org/data/v1/epss?cve=CVE-2014-3589
epss 0.01611 https://api.first.org/data/v1/epss?cve=CVE-2014-3589
epss 0.0162 https://api.first.org/data/v1/epss?cve=CVE-2014-3589
epss 0.01718 https://api.first.org/data/v1/epss?cve=CVE-2014-3589
epss 0.01718 https://api.first.org/data/v1/epss?cve=CVE-2014-3589
epss 0.01718 https://api.first.org/data/v1/epss?cve=CVE-2014-3589
epss 0.01718 https://api.first.org/data/v1/epss?cve=CVE-2014-3589
epss 0.01718 https://api.first.org/data/v1/epss?cve=CVE-2014-3589
epss 0.01718 https://api.first.org/data/v1/epss?cve=CVE-2014-3589
epss 0.01718 https://api.first.org/data/v1/epss?cve=CVE-2014-3589
epss 0.01718 https://api.first.org/data/v1/epss?cve=CVE-2014-3589
epss 0.01718 https://api.first.org/data/v1/epss?cve=CVE-2014-3589
epss 0.01718 https://api.first.org/data/v1/epss?cve=CVE-2014-3589
epss 0.01718 https://api.first.org/data/v1/epss?cve=CVE-2014-3589
epss 0.01718 https://api.first.org/data/v1/epss?cve=CVE-2014-3589
epss 0.01718 https://api.first.org/data/v1/epss?cve=CVE-2014-3589
epss 0.01718 https://api.first.org/data/v1/epss?cve=CVE-2014-3589
epss 0.01718 https://api.first.org/data/v1/epss?cve=CVE-2014-3589
epss 0.03421 https://api.first.org/data/v1/epss?cve=CVE-2014-3589
rhbs medium https://bugzilla.redhat.com/show_bug.cgi?id=1130711
generic_textual Low https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3589
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-cfmr-38g9-f2h7
cvssv3.1 7.5 https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2014-10.yaml
generic_textual HIGH https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2014-10.yaml
cvssv3.1 6.7 https://github.com/python-pillow/Pillow
generic_textual MODERATE https://github.com/python-pillow/Pillow
cvssv3.1 7.5 https://github.com/python-pillow/Pillow/commit/205e056f8f9b06ed7b925cf8aa0874bc4aaf8a7d
generic_textual HIGH https://github.com/python-pillow/Pillow/commit/205e056f8f9b06ed7b925cf8aa0874bc4aaf8a7d
cvssv3.1 7.5 https://github.com/python-pillow/Pillow/commit/5efeed77666bfd17708f3434b1d2daa9db1e1335
generic_textual HIGH https://github.com/python-pillow/Pillow/commit/5efeed77666bfd17708f3434b1d2daa9db1e1335
cvssv3.1 7.5 https://github.com/python-pillow/Pillow/commit/d47611e6fbb808ea109366781dd76559ffb80bcd
generic_textual HIGH https://github.com/python-pillow/Pillow/commit/d47611e6fbb808ea109366781dd76559ffb80bcd
cvssv2 5.0 https://nvd.nist.gov/vuln/detail/CVE-2014-3589
cvssv3.1 7.5 https://pypi.python.org/pypi/Pillow/2.3.2
generic_textual HIGH https://pypi.python.org/pypi/Pillow/2.3.2
cvssv3.1 7.5 https://pypi.python.org/pypi/Pillow/2.5.2
generic_textual HIGH https://pypi.python.org/pypi/Pillow/2.5.2
generic_textual Medium https://ubuntu.com/security/notices/USN-3080-1
cvssv3.1 7.5 http://www.debian.org/security/2014/dsa-3009
generic_textual HIGH http://www.debian.org/security/2014/dsa-3009
Reference id Reference type URL
http://lists.opensuse.org/opensuse-updates/2015-04/msg00056.html
http://osvdb.org/show/osvdb/110128
http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-3589.html
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2014-3589.json
https://api.first.org/data/v1/epss?cve=CVE-2014-3589
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3589
http://seclists.org/bugtraq/2014/Sep/25
http://secunia.com/advisories/59825
https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2014-10.yaml
https://github.com/python-pillow/Pillow
https://github.com/python-pillow/Pillow/commit/205e056f8f9b06ed7b925cf8aa0874bc4aaf8a7d
https://github.com/python-pillow/Pillow/commit/5efeed77666bfd17708f3434b1d2daa9db1e1335
https://github.com/python-pillow/Pillow/commit/d47611e6fbb808ea109366781dd76559ffb80bcd
https://pypi.python.org/pypi/Pillow/2.3.2
https://pypi.python.org/pypi/Pillow/2.5.2
https://ubuntu.com/security/notices/USN-3080-1
http://www.debian.org/security/2014/dsa-3009
1130711 https://bugzilla.redhat.com/show_bug.cgi?id=1130711
758772 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=758772
cpe:2.3:a:debian:python-imaging:-:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:debian:python-imaging:-:*:*:*:*:*:*:*
cpe:2.3:a:python:pillow:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:python:pillow:*:*:*:*:*:*:*:*
cpe:2.3:a:python:pillow:2.3.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:python:pillow:2.3.0:*:*:*:*:*:*:*
cpe:2.3:a:python:pillow:2.5.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:python:pillow:2.5.0:*:*:*:*:*:*:*
cpe:2.3:a:python:pillow:2.5.1:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:python:pillow:2.5.1:*:*:*:*:*:*:*
cpe:2.3:a:python:pillow:2.5.2:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:python:pillow:2.5.2:*:*:*:*:*:*:*
cpe:2.3:o:opensuse:opensuse:13.2:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:opensuse:opensuse:13.2:*:*:*:*:*:*:*
CVE-2014-3589 https://nvd.nist.gov/vuln/detail/CVE-2014-3589
GHSA-cfmr-38g9-f2h7 https://github.com/advisories/GHSA-cfmr-38g9-f2h7
USN-3080-1 https://usn.ubuntu.com/3080-1/
USN-3090-1 https://usn.ubuntu.com/3090-1/
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at http://lists.opensuse.org/opensuse-updates/2015-04/msg00056.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2014-10.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H Found at https://github.com/python-pillow/Pillow
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/python-pillow/Pillow/commit/205e056f8f9b06ed7b925cf8aa0874bc4aaf8a7d
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/python-pillow/Pillow/commit/5efeed77666bfd17708f3434b1d2daa9db1e1335
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/python-pillow/Pillow/commit/d47611e6fbb808ea109366781dd76559ffb80bcd
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P Found at https://nvd.nist.gov/vuln/detail/CVE-2014-3589
Exploitability (E) Access Vector (AV) Access Complexity (AC) Authentication (Au) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

none

partial

complete

none

partial

complete

none

partial

complete
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://pypi.python.org/pypi/Pillow/2.3.2
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://pypi.python.org/pypi/Pillow/2.5.2
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at http://www.debian.org/security/2014/dsa-3009
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.80085
EPSS Score 0.01611
Published At March 30, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
There are no relevant records.