Lucene search

K

GoogleOSV:GHSA-Q4MP-JVH2-76FJ

HistoryNov 14, 2022 - 12:00 p.m.

Pillow subject to DoS via SAMPLESPERPIXEL tag

2022-11-1412:00:15

Google

osv.dev

16

pillow

dos vulnerability

samplesperpixel

tiffimageplugin.py

memory and runtime dos

software

version 9.3.0

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.002

Percentile

57.9%

Pillow starting with 9.2.0 and prior to 9.3.0 allows denial of service via SAMPLESPERPIXEL. A large value in the SAMPLESPERPIXEL tag could lead to a memory and runtime DOS in TiffImagePlugin.py when setting up the context for image decoding. This issue has been patched in version 9.3.0.

References

bugs.gentoo.org/878769

github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2022-42980.yaml

github.com/python-pillow/Pillow

github.com/python-pillow/Pillow/commit/2444cddab2f83f28687c7c20871574acbb6dbcf3

github.com/python-pillow/Pillow/pull/6700

github.com/python-pillow/Pillow/releases/tag/9.3.0

nvd.nist.gov/vuln/detail/CVE-2022-45199

security.gentoo.org/glsa/202211-10

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.002

Percentile

57.9%

Related for OSV:GHSA-Q4MP-JVH2-76FJ

ubuntucve1 osv3 github1 openvas12 nessus14 cve1 debiancve1 veracode1 prion1 cvelist1 nvd1 redos1 gentoo1 oracle1