Lucene search

GitHub Advisory DatabaseGHSA-Q4MP-JVH2-76FJ

HistoryNov 14, 2022 - 12:00 p.m.

Pillow subject to DoS via SAMPLESPERPIXEL tag

2022-11-1412:00:15

CWE-400

GitHub Advisory Database

github.com

pillow

dos vulnerability

samplesperpixel

tiffimageplugin

memory and runtime dos

software

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.002

Percentile

57.9%

JSON

Pillow starting with 9.2.0 and prior to 9.3.0 allows denial of service via SAMPLESPERPIXEL. A large value in the SAMPLESPERPIXEL tag could lead to a memory and runtime DOS in TiffImagePlugin.py when setting up the context for image decoding. This issue has been patched in version 9.3.0.

Affected configurations

Vulners

Node

pillowRange9.2.0–9.3.0

VendorProductVersionCPE
*pillow*cpe:2.3:a:*:pillow:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
*	pillow	*	cpe:2.3:a::pillow::::::::*

References

bugs.gentoo.org/878769

github.com/advisories/GHSA-q4mp-jvh2-76fj

github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2022-42980.yaml

github.com/python-pillow/Pillow/commit/2444cddab2f83f28687c7c20871574acbb6dbcf3

github.com/python-pillow/Pillow/pull/6700

github.com/python-pillow/Pillow/releases/tag/9.3.0

nvd.nist.gov/vuln/detail/CVE-2022-45199

security.gentoo.org/glsa/202211-10

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.002

Percentile

57.9%

JSON

Related for GHSA-Q4MP-JVH2-76FJ