CVE-2014-9601 — Improper Input Validation in Pillow

CWE-20 — Improper Input Validation CWE-770 — Allocation of Resources Without Limits or Throttling15 documents8 sources

Severity

5.0MEDIUMNVD

EPSS

1.0%

top 22.60%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Python Pillow Fedoraproject Fedora Opensuse +1 more

Timeline

PublishedJan 16

Latest updateMay 14

Description

Pillow before 2.7.0 allows remote attackers to cause a denial of service via a compressed text chunk in a PNG image that has a large size when it is decompressed.

CVSS vector

AV:N/AC:L/C:N/I:N/A:PExploitability: 10.0 | Impact: 2.9

Affected Packages6 packages

▶PyPIpython/pillow< 2.7.0

▶Debianpython/pillow< 2.6.1-2+3

▶Ubuntupython/pillow< 2.3.0-1ubuntu3.3+3

▶NVDpython/pillow2.6.2

▶NVDoracle/solaris11.2

Also affects: Fedora 21

🔴Vulnerability Details

OSV

Pillow denial of service via PNG bomb↗2022-05-14

▶

GHSA

Pillow denial of service via PNG bomb↗2022-05-14

▶

OSV

pillow vulnerabilities↗2017-03-13

▶

OSV

Pillow regression↗2016-09-30

▶

OSV

Pillow vulnerabilities↗2016-09-27

▶

📋Vendor Advisories

Ubuntu

Pillow vulnerabilities↗2017-03-13

▶

Ubuntu

Python Imaging Library vulnerabilities↗2017-03-13

▶

Ubuntu

Pillow regresssion↗2016-09-30

▶

Ubuntu

Pillow vulnerabilities↗2016-09-27

▶

Red Hat

python-pillow: potential denial-of-service during PNG decompression↗2014-12-31

▶

💬Community

Bugzilla

CVE-2014-9601 python-pillow: potential denial-of-service during PNG decompression↗2015-01-06

▶