VDB
PYSEC-2016-9
PYSEC-2016-9
PUBLISHED
CVSS 9.300000190734863 CRITICAL
Pillow before 3.3.2 allows context-dependent attackers to execute arbitrary code by using the "crafted image file" approach, related to an "Insecure Sign Extension" issue affecting the ImagingNew in Storage.c component.
Risk Scores
CVSS v4.0
9.300000190734863
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| PyPI | pillow | 0, 1.0, 1.1 |
Timeline
- Nov 4, 2016 CVE Published
- Nov 8, 2023 CVE Updated
- May 1, 2026 Distribution Patch
- May 1, 2026 Security Advisory
- May 1, 2026 Security Advisory
References
- http://pillow.readthedocs.io/en/3.4.x/releasenotes/3.3.2.html url
- http://www.securityfocus.com/bid/94234 url
- https://github.com/advisories/GHSA-w4vg-rf63-f3j3 advisory
- https://github.com/python-pillow/Pillow/issues/2105 discussion
- https://github.com/python-pillow/Pillow/pull/2146/commits/5d8a0be45aad78c5a22c8d099118ee26ef8144af fix
- http://www.debian.org/security/2016/dsa-3710 advisory
- https://security.gentoo.org/glsa/201612-52 advisory