Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl: 22 vulnerabilities (highest severity is: 9.8) - autoclosed

[mend-for-github-com]

Vulnerable Library - Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/e8/f2/6722dd0c22e3a143ac792ccb2424924ac72af4adea756b1165b4cad50da7/Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /projects/Wikipedia_search_wordcloud/requirements.txt

Path to vulnerable library: /projects/Wikipedia_search_wordcloud/requirements.txt,/projects/convert_png_images_to_ico_format/requirements.txt,/projects/Wikipedia_search_wordcloud/requirements.txt

Found in HEAD commit: bf2f317cb6b371fa8ba87f3a9f45a7dde720c061

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in	Remediation Available
CVE-2022-22817	High	9.8	Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl	Direct	Pillow - 9.0.0	✅
CVE-2022-22815	High	9.8	Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl	Direct	Pillow - 9.0.0	✅
CVE-2022-22816	High	9.8	Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl	Direct	Pillow - 9.0.0	✅
CVE-2021-34552	High	9.8	Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl	Direct	Pillow-8.3.0	✅
CVE-2021-25289	High	9.8	Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl	Direct	8.1.1	✅
CVE-2021-25287	High	9.1	Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl	Direct	Pillow - 8.2.0	✅
CVE-2021-25288	High	9.1	Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl	Direct	Pillow - 8.2.0	✅
CVE-2020-35654	High	8.8	Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl	Direct	8.1.0	✅
CVE-2021-27923	High	7.5	Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl	Direct	Pillow - 8.1.2	✅
CVE-2021-23437	High	7.5	Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl	Direct	Pillow - 8.3.2	✅
CVE-2021-25290	High	7.5	Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl	Direct	8.1.1	✅
CVE-2021-25291	High	7.5	Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl	Direct	8.1.1	✅
CVE-2021-25293	High	7.5	Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl	Direct	8.1.1	✅
CVE-2021-28676	High	7.5	Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl	Direct	Pillow - 8.2.0	✅
CVE-2021-28677	High	7.5	Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl	Direct	Pillow - 8.2.0	✅
CVE-2021-27921	High	7.5	Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl	Direct	Pillow - 8.1.2	✅
CVE-2021-27922	High	7.5	Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl	Direct	Pillow - 8.1.2	✅
CVE-2020-35653	High	7.1	Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl	Direct	8.1.0	✅
CVE-2021-25292	Medium	6.5	Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl	Direct	8.1.1	✅
CVE-2021-28675	Medium	5.5	Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl	Direct	Pillow - 8.2.0	✅
CVE-2021-28678	Medium	5.5	Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl	Direct	Pillow - 8.2.0	✅
CVE-2020-35655	Medium	5.4	Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl	Direct	8.1.0	✅

Details

Partial details (14 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the WhiteSource Application.

CVE-2022-22817

Vulnerable Library - Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/e8/f2/6722dd0c22e3a143ac792ccb2424924ac72af4adea756b1165b4cad50da7/Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /projects/Wikipedia_search_wordcloud/requirements.txt

Path to vulnerable library: /projects/Wikipedia_search_wordcloud/requirements.txt,/projects/convert_png_images_to_ico_format/requirements.txt,/projects/Wikipedia_search_wordcloud/requirements.txt

Dependency Hierarchy:

• ❌ Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: bf2f317cb6b371fa8ba87f3a9f45a7dde720c061

Found in base branch: master

Vulnerability Details

PIL.ImageMath.eval in Pillow before 9.0.0 allows evaluation of arbitrary expressions, such as ones that use the Python exec method.

Publish Date: 2022-01-10

URL: CVE-2022-22817

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22817

Release Date: 2022-01-10

Fix Resolution: Pillow - 9.0.0

⛑️ Automatic Remediation is available for this issue

CVE-2022-22815

Vulnerable Library - Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/e8/f2/6722dd0c22e3a143ac792ccb2424924ac72af4adea756b1165b4cad50da7/Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /projects/Wikipedia_search_wordcloud/requirements.txt

Path to vulnerable library: /projects/Wikipedia_search_wordcloud/requirements.txt,/projects/convert_png_images_to_ico_format/requirements.txt,/projects/Wikipedia_search_wordcloud/requirements.txt

Dependency Hierarchy:

• ❌ Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: bf2f317cb6b371fa8ba87f3a9f45a7dde720c061

Found in base branch: master

Vulnerability Details

path_getbbox in path.c in Pillow before 9.0.0 improperly initializes ImagePath.Path.

Publish Date: 2022-01-10

URL: CVE-2022-22815

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22815

Release Date: 2022-01-10

Fix Resolution: Pillow - 9.0.0

⛑️ Automatic Remediation is available for this issue

CVE-2022-22816

Vulnerable Library - Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/e8/f2/6722dd0c22e3a143ac792ccb2424924ac72af4adea756b1165b4cad50da7/Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /projects/Wikipedia_search_wordcloud/requirements.txt

Path to vulnerable library: /projects/Wikipedia_search_wordcloud/requirements.txt,/projects/convert_png_images_to_ico_format/requirements.txt,/projects/Wikipedia_search_wordcloud/requirements.txt

Dependency Hierarchy:

• ❌ Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: bf2f317cb6b371fa8ba87f3a9f45a7dde720c061

Found in base branch: master

Vulnerability Details

path_getbbox in path.c in Pillow before 9.0.0 has a buffer over-read during initialization of ImagePath.Path.

Publish Date: 2022-01-10

URL: CVE-2022-22816

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22816

Release Date: 2022-01-10

Fix Resolution: Pillow - 9.0.0

⛑️ Automatic Remediation is available for this issue

CVE-2021-34552

Vulnerable Library - Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/e8/f2/6722dd0c22e3a143ac792ccb2424924ac72af4adea756b1165b4cad50da7/Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /projects/Wikipedia_search_wordcloud/requirements.txt

Path to vulnerable library: /projects/Wikipedia_search_wordcloud/requirements.txt,/projects/convert_png_images_to_ico_format/requirements.txt,/projects/Wikipedia_search_wordcloud/requirements.txt

Dependency Hierarchy:

• ❌ Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: bf2f317cb6b371fa8ba87f3a9f45a7dde720c061

Found in base branch: master

Vulnerability Details

Pillow through 8.2.0 and PIL (aka Python Imaging Library) through 1.1.7 allow an attacker to pass controlled parameters directly into a convert function to trigger a buffer overflow in Convert.c.

Publish Date: 2021-07-13

URL: CVE-2021-34552

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://pillow.readthedocs.io/en/stable/releasenotes/8.3.0.html#buffer-overflow

Release Date: 2021-07-13

Fix Resolution: Pillow-8.3.0

⛑️ Automatic Remediation is available for this issue

CVE-2021-25289

Vulnerable Library - Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/e8/f2/6722dd0c22e3a143ac792ccb2424924ac72af4adea756b1165b4cad50da7/Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /projects/Wikipedia_search_wordcloud/requirements.txt

Path to vulnerable library: /projects/Wikipedia_search_wordcloud/requirements.txt,/projects/convert_png_images_to_ico_format/requirements.txt,/projects/Wikipedia_search_wordcloud/requirements.txt

Dependency Hierarchy:

• ❌ Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: bf2f317cb6b371fa8ba87f3a9f45a7dde720c061

Found in base branch: master

Vulnerability Details

An issue was discovered in Pillow before 8.1.1. TiffDecode has a heap-based buffer overflow when decoding crafted YCbCr files because of certain interpretation conflicts with LibTIFF in RGBA mode. NOTE: this issue exists because of an incomplete fix for CVE-2020-35654.

Publish Date: 2021-03-19

URL: CVE-2021-25289

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html

Release Date: 2021-03-19

Fix Resolution: 8.1.1

⛑️ Automatic Remediation is available for this issue

CVE-2021-25287

Vulnerable Library - Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/e8/f2/6722dd0c22e3a143ac792ccb2424924ac72af4adea756b1165b4cad50da7/Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /projects/Wikipedia_search_wordcloud/requirements.txt

Path to vulnerable library: /projects/Wikipedia_search_wordcloud/requirements.txt,/projects/convert_png_images_to_ico_format/requirements.txt,/projects/Wikipedia_search_wordcloud/requirements.txt

Dependency Hierarchy:

• ❌ Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: bf2f317cb6b371fa8ba87f3a9f45a7dde720c061

Found in base branch: master

Vulnerability Details

An issue was discovered in Pillow before 8.2.0. There is an out-of-bounds read in J2kDecode, in j2ku_graya_la.

Publish Date: 2021-06-02

URL: CVE-2021-25287

CVSS 3 Score Details (9.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25287

Release Date: 2021-06-02

Fix Resolution: Pillow - 8.2.0

⛑️ Automatic Remediation is available for this issue

CVE-2021-25288

Vulnerable Library - Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/e8/f2/6722dd0c22e3a143ac792ccb2424924ac72af4adea756b1165b4cad50da7/Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /projects/Wikipedia_search_wordcloud/requirements.txt

Path to vulnerable library: /projects/Wikipedia_search_wordcloud/requirements.txt,/projects/convert_png_images_to_ico_format/requirements.txt,/projects/Wikipedia_search_wordcloud/requirements.txt

Dependency Hierarchy:

• ❌ Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: bf2f317cb6b371fa8ba87f3a9f45a7dde720c061

Found in base branch: master

Vulnerability Details

An issue was discovered in Pillow before 8.2.0. There is an out-of-bounds read in J2kDecode, in j2ku_gray_i.

Publish Date: 2021-06-02

URL: CVE-2021-25288

CVSS 3 Score Details (9.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25288

Release Date: 2021-06-02

Fix Resolution: Pillow - 8.2.0

⛑️ Automatic Remediation is available for this issue

CVE-2020-35654

Vulnerable Library - Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/e8/f2/6722dd0c22e3a143ac792ccb2424924ac72af4adea756b1165b4cad50da7/Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /projects/Wikipedia_search_wordcloud/requirements.txt

Path to vulnerable library: /projects/Wikipedia_search_wordcloud/requirements.txt,/projects/convert_png_images_to_ico_format/requirements.txt,/projects/Wikipedia_search_wordcloud/requirements.txt

Dependency Hierarchy:

• ❌ Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: bf2f317cb6b371fa8ba87f3a9f45a7dde720c061

Found in base branch: master

Vulnerability Details

In Pillow before 8.1.0, TiffDecode has a heap-based buffer overflow when decoding crafted YCbCr files because of certain interpretation conflicts with LibTIFF in RGBA mode.

Publish Date: 2021-01-12

URL: CVE-2020-35654

CVSS 3 Score Details (8.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35654

Release Date: 2021-01-12

Fix Resolution: 8.1.0

⛑️ Automatic Remediation is available for this issue

CVE-2021-27923

Vulnerable Library - Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/e8/f2/6722dd0c22e3a143ac792ccb2424924ac72af4adea756b1165b4cad50da7/Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /projects/Wikipedia_search_wordcloud/requirements.txt

Path to vulnerable library: /projects/Wikipedia_search_wordcloud/requirements.txt,/projects/convert_png_images_to_ico_format/requirements.txt,/projects/Wikipedia_search_wordcloud/requirements.txt

Dependency Hierarchy:

• ❌ Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: bf2f317cb6b371fa8ba87f3a9f45a7dde720c061

Found in base branch: master

Vulnerability Details

Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICO container, and thus an attempted memory allocation can be very large.
WhiteSource Note: After conducting further research, WhiteSource has determined that all versions of Pillow up to version 8.1.1 are vulnerable to CVE-2021-27923.

Publish Date: 2021-03-03

URL: CVE-2021-27923

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://pillow.readthedocs.io/en/stable/releasenotes/8.1.2.html

Release Date: 2021-03-03

Fix Resolution: Pillow - 8.1.2

⛑️ Automatic Remediation is available for this issue

CVE-2021-23437

Vulnerable Library - Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/e8/f2/6722dd0c22e3a143ac792ccb2424924ac72af4adea756b1165b4cad50da7/Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /projects/Wikipedia_search_wordcloud/requirements.txt

Path to vulnerable library: /projects/Wikipedia_search_wordcloud/requirements.txt,/projects/convert_png_images_to_ico_format/requirements.txt,/projects/Wikipedia_search_wordcloud/requirements.txt

Dependency Hierarchy:

• ❌ Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: bf2f317cb6b371fa8ba87f3a9f45a7dde720c061

Found in base branch: master

Vulnerability Details

The package pillow 5.2.0 and before 8.3.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the getrgb function.

Publish Date: 2021-09-03

URL: CVE-2021-23437

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://pillow.readthedocs.io/en/stable/releasenotes/8.3.2.html

Release Date: 2021-09-03

Fix Resolution: Pillow - 8.3.2

⛑️ Automatic Remediation is available for this issue

CVE-2021-25290

Vulnerable Library - Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/e8/f2/6722dd0c22e3a143ac792ccb2424924ac72af4adea756b1165b4cad50da7/Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /projects/Wikipedia_search_wordcloud/requirements.txt

Path to vulnerable library: /projects/Wikipedia_search_wordcloud/requirements.txt,/projects/convert_png_images_to_ico_format/requirements.txt,/projects/Wikipedia_search_wordcloud/requirements.txt

Dependency Hierarchy:

• ❌ Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: bf2f317cb6b371fa8ba87f3a9f45a7dde720c061

Found in base branch: master

Vulnerability Details

An issue was discovered in Pillow before 8.1.1. In TiffDecode.c, there is a negative-offset memcpy with an invalid size.

Publish Date: 2021-03-19

URL: CVE-2021-25290

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html

Release Date: 2021-03-19

Fix Resolution: 8.1.1

⛑️ Automatic Remediation is available for this issue

CVE-2021-25291

Vulnerable Library - Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/e8/f2/6722dd0c22e3a143ac792ccb2424924ac72af4adea756b1165b4cad50da7/Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /projects/Wikipedia_search_wordcloud/requirements.txt

Path to vulnerable library: /projects/Wikipedia_search_wordcloud/requirements.txt,/projects/convert_png_images_to_ico_format/requirements.txt,/projects/Wikipedia_search_wordcloud/requirements.txt

Dependency Hierarchy:

• ❌ Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: bf2f317cb6b371fa8ba87f3a9f45a7dde720c061

Found in base branch: master

Vulnerability Details

An issue was discovered in Pillow before 8.1.1. In TiffDecode.c, there is an out-of-bounds read in TiffreadRGBATile via invalid tile boundaries.

Publish Date: 2021-03-19

URL: CVE-2021-25291

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html

Release Date: 2021-03-19

Fix Resolution: 8.1.1

⛑️ Automatic Remediation is available for this issue

CVE-2021-25293

Vulnerable Library - Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/e8/f2/6722dd0c22e3a143ac792ccb2424924ac72af4adea756b1165b4cad50da7/Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /projects/Wikipedia_search_wordcloud/requirements.txt

Path to vulnerable library: /projects/Wikipedia_search_wordcloud/requirements.txt,/projects/convert_png_images_to_ico_format/requirements.txt,/projects/Wikipedia_search_wordcloud/requirements.txt

Dependency Hierarchy:

• ❌ Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: bf2f317cb6b371fa8ba87f3a9f45a7dde720c061

Found in base branch: master

Vulnerability Details

An issue was discovered in Pillow before 8.1.1. There is an out-of-bounds read in SGIRleDecode.c.

Publish Date: 2021-03-19

URL: CVE-2021-25293

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html

Release Date: 2021-03-19

Fix Resolution: 8.1.1

⛑️ Automatic Remediation is available for this issue

CVE-2021-28676

Vulnerable Library - Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/e8/f2/6722dd0c22e3a143ac792ccb2424924ac72af4adea756b1165b4cad50da7/Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl

Path to dependency file: /projects/Wikipedia_search_wordcloud/requirements.txt

Path to vulnerable library: /projects/Wikipedia_search_wordcloud/requirements.txt,/projects/convert_png_images_to_ico_format/requirements.txt,/projects/Wikipedia_search_wordcloud/requirements.txt

Dependency Hierarchy:

• ❌ Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl (Vulnerable Library)

Found in HEAD commit: bf2f317cb6b371fa8ba87f3a9f45a7dde720c061

Found in base branch: master

Vulnerability Details

An issue was discovered in Pillow before 8.2.0. For FLI data, FliDecode did not properly check that the block advance was non-zero, potentially leading to an infinite loop on load.

Publish Date: 2021-06-02

URL: CVE-2021-28676

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28676

Release Date: 2021-06-02

Fix Resolution: Pillow - 8.2.0

⛑️ Automatic Remediation is available for this issue

---

⛑️ Automatic Remediation is available for this issue.

[mend-for-github-com]

✔️ This issue was automatically closed by WhiteSource because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the WhiteSource inventory.