Out-of-bounds reads in Pillow · CVE-2020-10994 · GitHub Advisory Database · GitHub

Out-of-bounds reads in Pillow

Moderate severity GitHub Reviewed Published Jul 27, 2020 to the GitHub Advisory Database • Updated Sep 5, 2023

Package

Pillow (pip)

Affected versions

< 7.1.0

Patched versions

7.1.0

Description

In libImaging/Jpeg2KDecode.c in Pillow before 7.1.0, there are multiple out-of-bounds reads via a crafted JP2 file.

References

Published by the National Vulnerability Database

Jun 25, 2020

Reviewed Jul 27, 2020

Published to the GitHub Advisory Database Jul 27, 2020

Last updated Sep 5, 2023

Severity

Moderate

5.5

/ 10

CVSS base metrics

Attack vector

Local

Attack complexity

Low

Privileges required

None

User interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H