-
Notifications
You must be signed in to change notification settings - Fork 38
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Snyk: Critical] pillow Heap-based Buffer Overflow (Due 10/27/2023) #5930
Comments
2 tasks
|
upgrading wagtail to v5.1.2 alone didn't fix the pillow snyk vulnerability:
|
upgrading wagtail to v5.1.2 along pinning pillow to v10.0.1 seems to fix this snyk vulnerability |
2 tasks
3 tasks
2 tasks
3 tasks
2 tasks
cnlucas
changed the title
[Snyk: High] pillow Heap-based Buffer Overflow (Due 10/27/2023)
[Snyk: Critical] pillow Heap-based Buffer Overflow (Due 10/27/2023)
Nov 8, 2023
3 tasks
2 tasks
3 tasks
2 tasks
3 tasks
2 tasks
3 tasks
2 tasks
This was referenced Jan 10, 2024
3 tasks
2 tasks
Changes merged in pr #6020. Closing this issue |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1st Issue pillow Heap-based Buffer Overflow
VULNERABILITY
CWE-122
CVE-2023-4863
CVSS 7.3 HIGH
SNYK-PYTHON-PILLOW-5918878
SCORE
865
Introduced through
wagtail@4.2.3
Fixed in
pillow@10.0.1
Exploit maturity
MATURE
Detailed paths and remediation
Introduced through: project@0.0.0 › wagtail@4.2.3 › pillow@9.5.0
Fix: Pin pillow to version 10.0.1
Security information
Factors contributing to the scoring:
Snyk: CVSS 7.3 - High Severity
NVD: CVSS 8.8 - High Severity
Why are the scores different? Learn how Snyk evaluates vulnerability scores
Overview
Pillow is a PIL (Python Imaging Library) fork.
2nd Issue SNYK HIGH pillow Uncontrolled Resource Consumption ('Resource Exhaustion')
Introduced through
wagtail@4.2.3
Fixed in
pillow@10.0.0
Detailed paths and remediation
Security information
Factors contributing to the scoring:
Why are the scores different? Learn how Snyk evaluates vulnerability scores
Overview
Affected versions of this package are vulnerable to Uncontrolled Resource Consumption ('Resource Exhaustion') when the ImageFont truetype in an ImageDraw instance operates on a long text argument. An attacker can cause the service to crash by processing a task that uncontrollably allocates memory.
Completion Criteria
The text was updated successfully, but these errors were encountered: