Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.EULEROS_SA-2021-2163.NASL
HistoryJul 06, 2021 - 12:00 a.m.

EulerOS Virtualization 3.0.2.2 : python-pillow (EulerOS-SA-2021-2163)

2021-07-0600:00:00
This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
19

CVSS2

5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

AI Score

6.8

Confidence

High

EPSS

0.018

Percentile

88.3%

JSON

According to the version of the python-pillow package installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerability :

  • Pillow before 2.7.0 allows remote attackers to cause a denial of service via a compressed text chunk in a PNG image that has a large size when it is decompressed.(CVE-2014-9601)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(151376);
  script_version("1.4");
  script_set_attribute(attribute:"plugin_modification_date", value:"2023/12/26");

  script_cve_id("CVE-2014-9601");

  script_name(english:"EulerOS Virtualization 3.0.2.2 : python-pillow (EulerOS-SA-2021-2163)");

  script_set_attribute(attribute:"synopsis", value:
"The remote EulerOS Virtualization host is missing a security update.");
  script_set_attribute(attribute:"description", value:
"According to the version of the python-pillow package installed, the
EulerOS Virtualization installation on the remote host is affected by
the following vulnerability :

  - Pillow before 2.7.0 allows remote attackers to cause a
    denial of service via a compressed text chunk in a PNG
    image that has a large size when it is
    decompressed.(CVE-2014-9601)

Note that Tenable Network Security has extracted the preceding
description block directly from the EulerOS security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.");
  # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2021-2163
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?7d80cc99");
  script_set_attribute(attribute:"solution", value:
"Update the affected python-pillow package.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2014-9601");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"patch_publication_date", value:"2021/07/06");
  script_set_attribute(attribute:"plugin_publication_date", value:"2021/07/06");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:python-pillow");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:uvp:3.0.2.2");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Huawei Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/uvp_version");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

release = get_kb_item("Host/EulerOS/release");
if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
uvp = get_kb_item("Host/EulerOS/uvp_version");
if (uvp != "3.0.2.2") audit(AUDIT_OS_NOT, "EulerOS Virtualization 3.0.2.2");
if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu);

flag = 0;

pkgs = ["python-pillow-2.0.0-19.h9.gitd1c6db8.eulerosv2r7.src"];

foreach (pkg in pkgs)
  if (rpm_check(release:"EulerOS-2.0", reference:pkg)) flag++;

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_WARNING,
    extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "python-pillow");
}
VendorProductVersionCPE
huaweieulerospython-pillowp-cpe:/a:huawei:euleros:python-pillow
huaweieulerosuvpcpe:/o:huawei:euleros:uvp:3.0.2.2

Related

ubuntucve 1
openvas 13
prion 1
cve 1
nvd 1
github 1
nessus 17
fedora 1
osv 2
cvelist 1
mageia 1
debiancve 1
ubuntu 4
securityvulns 2
amazon 1
ubuntucve
ubuntucve
CVE-2014-9601
2015-01-16 00:00:00
openvas
openvas
Fedora Update for python-pillow FEDORA-2015-0667
2015-01-22 00:00:00
Huawei EulerOS: Security Advisory for python-pillow (EulerOS-SA-2021-2163)
2021-07-07 00:00:00
Mageia: Security Advisory (MGASA-2015-0039)
2022-01-28 00:00:00
prion
prion
Code injection
2015-01-16 16:59:00
cve
cve
CVE-2014-9601
2015-01-16 16:59:17
nvd
nvd
CVE-2014-9601
2015-01-16 16:59:17
github
github
Pillow denial of service via PNG bomb
2022-05-14 02:05:56
nessus
nessus
Fedora 21 : python-pillow-2.6.1-2.fc21 (2015-0667)
2015-01-22 00:00:00
EulerOS Virtualization 3.0.6.6 : python-pillow (EulerOS-SA-2021-1515)
2021-03-04 00:00:00
EulerOS Virtualization for ARM 64 3.0.2.0 : python-pillow (EulerOS-SA-2021-1383)
2021-03-10 00:00:00
fedora
fedora
[SECURITY] Fedora 21 Update: python-pillow-2.6.1-2.fc21
2015-01-21 23:07:12
osv
osv
PYSEC-2015-16
2015-01-16 16:59:00
Pillow denial of service via PNG bomb
2022-05-14 02:05:56
cvelist
cvelist
CVE-2014-9601
2015-01-16 16:00:00
mageia
mageia
Updated python-pillow packages fix CVE-2014-9601
2015-01-28 00:08:29
debiancve
debiancve
CVE-2014-9601
2015-01-16 16:59:17
ubuntu
ubuntu
Python Imaging Library vulnerabilities
2017-03-13 00:00:00
Pillow vulnerabilities
2017-03-13 00:00:00
Pillow vulnerabilities
2016-09-27 00:00:00
securityvulns
securityvulns
[ MDVSA-2015:099 ] python-pillow
2015-04-19 00:00:00
pillow multiple security vulnerabilities
2015-04-19 00:00:00
amazon
amazon
Important: python-pillow
2023-06-05 16:39:00

CVSS2

5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

AI Score

6.8

Confidence

High

EPSS

0.018

Percentile

88.3%

JSON
Related for EULEROS_SA-2021-2163.NASL
ubuntucve1openvas13prion1cve1nvd1github1nessus17fedora1osv2cvelist1mageia1debiancve1ubuntu4securityvulns2amazon1