CVSS: 8.1EPSS: 1%CPEs: 2EXPL: 0CVE-2023-50447 – pillow: Arbitrary Code Execution via the environment parameter
https://notcve.org/view.php?id=CVE-2023-50447
19 Jan 2024 — Pillow through 10.1.0 allows PIL.ImageMath.eval Arbitrary Code Execution via the environment parameter, a different vulnerability than CVE-2022-22817 (which was about the expression parameter). Pillow hasta la versión 10.1.0 permite la ejecución de código arbitrario PIL.ImageMath.eval a través del parámetro de entorno, una vulnerabilidad diferente a CVE-2022-22817 (que se refería al parámetro de expresión). A vulnerability was found in Pillow, a popular Python imaging library. The flaw identified in the PIL... • http://www.openwall.com/lists/oss-security/2024/01/20/1 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2023-44271 – python-pillow: uncontrolled resource consumption when textlength in an ImageDraw instance operates on a long text argument
https://notcve.org/view.php?id=CVE-2023-44271
03 Nov 2023 — An issue was discovered in Pillow before 10.0.0. It is a Denial of Service that uncontrollably allocates memory to process a given task, potentially causing a service to crash by having it run out of memory. This occurs for truetype in ImageFont when textlength in an ImageDraw instance operates on a long text argument. Se descubrió un problema en Pillow antes de la versión 10.0.0. Es una Denegación de Servicio que asigna memoria de forma incontrolable para procesar una tarea determinada, lo que puede provoc... • https://devhub.checkmarx.com/cve-details/CVE-2023-44271 • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-45198 – Ubuntu Security Notice USN-5777-1
https://notcve.org/view.php?id=CVE-2022-45198
14 Nov 2022 — Pillow before 9.2.0 performs Improper Handling of Highly Compressed GIF Data (Data Amplification). Pillow anterior a 9.2.0 realiza un manejo inadecuado de datos GIF altamente comprimidos (amplificación de datos). It was discovered that Pillow incorrectly handled the deletion of temporary files when using a temporary directory that contains spaces. An attacker could possibly use this issue to delete arbitrary files. This issue only affected Ubuntu 20.04 LTS. • https://bugs.gentoo.org/855683 •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-45199 – Gentoo Linux Security Advisory 202211-10
https://notcve.org/view.php?id=CVE-2022-45199
14 Nov 2022 — Pillow before 9.3.0 allows denial of service via SAMPLESPERPIXEL. Pillow anterior a 9.3.0 permite la denegación de servicio a través de SAMPLESPERPIXEL. Multiple vulnerabilities have been found in Pillow, the worst of which could result in arbitrary code execution. Versions less than 9.3.0 are affected. • https://bugs.gentoo.org/878769 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 9.8EPSS: 5%CPEs: 1EXPL: 1CVE-2022-30595
https://notcve.org/view.php?id=CVE-2022-30595
25 May 2022 — libImaging/TgaRleDecode.c in Pillow 9.1.0 has a heap buffer overflow in the processing of invalid TGA image files. El archivo libImaging/TgaRleDecode.c en Pillow versión 9.1.0, presenta un desbordamiento del búfer de la pila en el procesamiento de archivos de imagen TGA no válidos • https://github.com/python-pillow/Pillow/blob/main/src/libImaging/TgaRleDecode.c • CWE-787: Out-of-bounds Write •