CVE-2019-16865Allocation of Resources Without Limits or Throttling in Pillow

CWE-770Allocation of Resources Without Limits or Throttling13 documents9 sources
Severity
7.5HIGHNVD
EPSS
3.9%
top 11.65%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Python PillowFedoraproject FedoraPaloalto Pan-os
Timeline
PublishedOct 4
Latest updateFeb 14

Description

An issue was discovered in Pillow before 6.2.0. When reading specially crafted invalid image files, the library can either allocate very large amounts of memory or take an extremely long period of time to process the image.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages5 packages

NVDpython/pillow< 6.2.0
PyPIpython/pillow< 6.2.0
Debianpython/pillow< 6.2.0-1+3
Ubuntupython/pillow< 3.1.2-0ubuntu1.3+2
Palo Altopaloalto/pan-os

Also affects: Fedora 30, 31

🔴Vulnerability Details

5
OSV
pillow vulnerabilities2020-02-06
GHSA
DOS attack in Pillow when processing specially crafted image files2019-10-22
OSV
DOS attack in Pillow when processing specially crafted image files2019-10-22
OSV
CVE-2019-16865: An issue was discovered in Pillow before 62019-10-04
CVEList
CVE-2019-16865: An issue was discovered in Pillow before 62019-10-04

📋Vendor Advisories

4
Palo Alto
PAN-SA-2024-0001 Informational Bulletin: Impact of OSS CVEs in PAN-OS2024-02-14
Ubuntu
Pillow vulnerabilities2020-02-06
Red Hat
python-pillow: reading specially crafted image files leads to allocation of large amounts of memory and denial of service2019-10-04
Debian
CVE-2019-16865: pillow - An issue was discovered in Pillow before 6.2.0. When reading specially crafted i...2019

💬Community

3
Bugzilla
CVE-2019-16865 python-pillow: reading specially crafted image files leads to allocation of large amounts of memory and denial of service2019-11-19
Bugzilla
CVE-2019-16865 python-pillow: reading specially crafted image files leads to allocation of large amounts of memory and denial of service [openstack-rdo]2019-11-19
Bugzilla
CVE-2019-16865 python-pillow: reading specially crafted image files leads to allocation of large amounts of memory [fedora-all]2019-11-19
CVE-2019-16865 — Python Pillow vulnerability | cvebase