Pillow versions before v10.0.1 bundled libwebp binaries in wheels that are vulnerable to CVE-2023-5129 (previously CVE-2023-4863). Pillow v10.0.1 upgrades the bundled libwebp binary to v1.3.2.

Affected configurations

Vulners

Node

pythonpillowRange<10.0.1

CPENameOperatorVersion
pillowlt10.0.1

CPE	Name	Operator	Version
	pillow	lt	10.0.1

References

github.com/advisories/GHSA-56pw-mpj4-fxww

github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2023-175.yaml

github.com/python-pillow/Pillow/blob/main/CHANGES.rst#1001-2023-09-15

nvd.nist.gov/vuln/detail/CVE-2023-4863

nvd.nist.gov/vuln/detail/CVE-2023-5129

openvas 29

redhat 22

nessus 73

alpinelinux 2

redhatcve 1

cnvd 2

osv 19

github 3

ubuntucve 1

kaspersky 4

nvd 1

mozilla 1

attackerkb 1

rocky 3

prion 1

f5 1

cve 1

photon 1

talosblog 1

debiancve 2

cvelist 1

fedora 5

redos 1

chrome 1

thn 1

ubuntu 1

veracode 1

freebsd 1

slackware 1

almalinux 2

amazon 4

githubexploit 2

cloudfoundry 2

debian 4

hivepro 1

ibm 2

openvas

Mozilla Firefox Security Advisory (MFSA2023-40) - Linux

2023-09-13 00:00:00

Fedora: Security Advisory for libwebp (FEDORA-2023-e692a72898)

2023-10-16 00:00:00

Fedora: Security Advisory for libwebp (FEDORA-2023-2a0668fe43)

2023-10-01 00:00:00

redhat

(RHSA-2023:5202) Important: thunderbird security update

2023-09-18 14:01:39

(RHSA-2023:5204) Important: libwebp security update

2023-09-18 15:04:13

(RHSA-2023:5309) Important: libwebp security update

2023-09-20 06:41:26

nessus

RHEL 9 : libwebp (RHSA-2023:5204)

2023-09-18 00:00:00

RHEL 9 : thunderbird (RHSA-2023:5224)

2023-09-19 00:00:00

RHEL 9 : firefox (RHSA-2023:5200)

2023-09-18 00:00:00

alpinelinux

CVE-2023-5129

2023-09-25 21:15:16

CVE-2023-4863

2023-09-12 15:15:24

redhatcve

CVE-2023-5129

2023-09-27 17:55:08

cnvd

Google libwebp open source library remote code execution vulnerability

2023-09-27 00:00:00

Google Chrome Buffer Overflow Vulnerability (CNVD-2023-71680)

2023-09-15 00:00:00

osv

Important: thunderbird security update

2023-10-06 22:57:16

CVE-2023-4863

2023-09-12 15:15:24

Important: libwebp security update

2023-10-06 22:58:06

github

Bundled libwebp in imagecodecs vulnerable

2023-10-05 00:07:46

Imageflow affected by libwebp zero-day and should not be used with malicious source images.

2023-09-27 21:16:16

libwebp: OOB write in BuildHuffmanTable

2023-09-12 15:30:20

ubuntucve

CVE-2023-5129

2023-09-25 00:00:00

kaspersky

KLA60726 DoS vulnerability in Mozilla Firefox ESR

2023-09-12 00:00:00

KLA60725 DoS vulnerability in Mozilla Thunderbird

2023-09-12 00:00:00

KLA60727 DoS vulnerability in Mozilla Firefox

2023-09-12 00:00:00

nvd

CVE-2023-5129

2023-09-25 21:15:16

mozilla

Security Vulnerability fixed in Firefox 117.0.1, Firefox ESR 115.2.1, Firefox ESR 102.15.1, Thunderbird 102.15.1, and Thunderbird 115.2.2 — Mozilla

2023-09-12 00:00:00

attackerkb

CVE-2023-5129

2023-09-25 00:00:00

rocky

thunderbird security update

2023-10-06 22:57:16

libwebp security update

2023-10-06 22:58:06

firefox security update

2023-09-19 12:09:00

prion

Open redirect

2023-09-25 21:15:00

K000137054 : libwebp vulnerabilities CVE-2023-4863 and CVE-2023-5129

2023-09-29 00:00:00

cve

CVE-2023-5129

2023-09-25 21:15:16

photon

Critical Photon OS Security Update - PHSA-2023-3.0-0657

2023-09-28 00:00:00

talosblog

The security pitfalls of social media sites offering ID-based authentication

2023-09-28 18:00:11

debiancve

CVE-2023-5129

2023-09-25 21:15:00

CVE-2023-4863

2023-09-12 15:15:24

cvelist

CVE-2023-5129

2023-09-25 20:42:25

fedora

[SECURITY] Fedora 37 Update: firefox-118.0.1-7.fc37

2023-10-10 01:33:42

[SECURITY] Fedora 38 Update: firefox-118.0.1-4.fc38

2023-10-06 01:31:45

[SECURITY] Fedora 39 Update: libwebp-1.3.2-2.fc39

2023-10-03 00:20:56

redos

ROS-20240404-15

2024-04-04 00:00:00

chrome

Stable Channel Update for Desktop

2023-09-11 00:00:00

thn

Mozilla Rushes to Patch WebP Critical Zero-Day Exploit in Firefox and Thunderbird

2023-09-13 01:50:00

ubuntu

Firefox vulnerability

2023-09-14 00:00:00

veracode

Heap Buffer Overflow

2023-09-15 13:45:13

freebsd

libwebp heap buffer overflow

2023-09-12 00:00:00

slackware

[slackware-security] seamonkey

2023-09-21 19:43:16

almalinux

Important: firefox security update

2023-09-18 00:00:00

Important: thunderbird security update

2023-09-19 00:00:00

amazon

Important: thunderbird

2023-10-12 15:08:00

Important: libwebp12

2023-10-12 15:08:00

Important: thunderbird

2023-10-12 15:08:00

githubexploit

Exploit for Out-of-bounds Write in Google Chrome

2023-09-25 10:33:09

Exploit for Out-of-bounds Write in Google Chrome

2023-12-18 23:12:25

cloudfoundry

| Cloud Foundry

2023-10-05 00:00:00

USN-6369-1: libwebp vulnerability | Cloud Foundry

2023-10-12 00:00:00

debian

[SECURITY] [DLA 3568-1] firefox-esr security update

2023-09-16 09:04:49

[SECURITY] [DLA 3570-1] libwebp security update

2023-09-18 12:07:01

[SECURITY] [DSA 5497-1] libwebp security update

2023-09-13 21:07:56

hivepro

Google Addresses Fourth Zero-Day Flaw Exploited by Attackers Wildly

2023-09-12 13:05:09

ibm

Security Bulletin: IBM App Connect Enterprise is vulnerable to a heap-based buffer overflow due to electron

2023-10-20 09:35:15

Security Bulletin: IBM Cognos Analytics Cartridge for IBM Cloud Pak for Data 4.8.0 has addressed a security vulnerability (CVE-2023-4863)

2023-11-29 22:25:21

Solutions

Vulnerabilities intelligence
Perimeter control tool
Linux scanner
Windows scanner
Developers SDK
Security Intelligence feeds

Database

Vulnerabilities
Exploits
Security News
BugBounty
Wild Exploited
Top Vulnerabilities
CVE Feed

Resources

Statics & Sources
Plugins
API docs
FAQ
Blog
Glossary

Company

About
Contacts
Pricing
EULA
Privacy Policy
Submission Policy
OpenSource

@2024 Vulners Inc

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

0.609 Medium

EPSS

Percentile

97.8%

JSON

Related for GHSA-56PW-MPJ4-FXWW