PYSEC-2021-35 — Vulnetix

PYSEC-2021-35 PUBLISHED CVSS 9.300000190734863 CRITICAL

An issue was discovered in Pillow before 8.1.1. TiffDecode has a heap-based buffer overflow when decoding crafted YCbCr files because of certain interpretation conflicts with LibTIFF in RGBA mode. NOTE: this issue exists because of an incomplete fix for CVE-2020-35654.

Risk Scores

CVSS v4.0

9.300000190734863

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected Products

Vendor	Product	Versions
PyPI	pillow	1.0, 1.1, 1.2

Timeline

Mar 19, 2021 CVE Published
Dec 6, 2023 CVE Updated

References

https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html url
https://github.com/advisories/GHSA-57h3-9rgr-c24m advisory

Open in Interactive Console →