CVE-2020-35653 — Out-of-bounds Read in Pillow

CWE-125 — Out-of-bounds Read12 documents8 sources

Severity

7.1HIGHNVD

OSV5.5

EPSS

0.3%

top 47.32%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Python Pillow Debian Linux Fedoraproject Fedora +1 more

Timeline

PublishedJan 12

Latest updateFeb 14

Description

In Pillow before 8.1.0, PcxDecode has a buffer over-read when decoding a crafted PCX file because the user-supplied stride value is trusted for buffer calculations.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:HExploitability: 2.8 | Impact: 4.2

Affected Packages5 packages

▶NVDpython/pillow< 8.1.0

▶PyPIpython/pillow< 8.1.0

▶Debianpython/pillow< 8.1.0-1+3

▶Ubuntupython/pillow< 3.1.2-0ubuntu1.5+3

▶Palo Altopaloalto/pan-os

Also affects: Debian Linux 9.0, Fedora 32, 33

🔴Vulnerability Details

GHSA

Pillow Out-of-bounds Read↗2021-03-18

▶

OSV

Pillow Out-of-bounds Read↗2021-03-18

▶

OSV

pillow vulnerabilities↗2021-01-20

▶

OSV

pillow vulnerabilities↗2021-01-18

▶

OSV

CVE-2020-35653: In Pillow before 8↗2021-01-12

▶

📋Vendor Advisories

Palo Alto

PAN-SA-2024-0001 Informational Bulletin: Impact of OSS CVEs in PAN-OS↗2024-02-14

▶

Ubuntu

Pillow vulnerabilities↗2021-01-20

▶

Ubuntu

Pillow vulnerabilities↗2021-01-18

▶

Red Hat

python-pillow: Buffer over-read in PCX image reader↗2021-01-03

▶

Debian

CVE-2020-35653: pillow - In Pillow before 8.1.0, PcxDecode has a buffer over-read when decoding a crafted...↗2020

▶