Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Snyk: Critical] pillow Heap-based Buffer Overflow (Due 10/27/2023) #5930

Closed
1 task
tmpayton opened this issue Sep 27, 2023 · 4 comments
Closed
1 task

[Snyk: Critical] pillow Heap-based Buffer Overflow (Due 10/27/2023) #5930

tmpayton opened this issue Sep 27, 2023 · 4 comments
Assignees
@pkfec
Labels
Security: high Remediate within 30 days
Milestone
Sprint 23.6

Comments

@tmpayton
Copy link
Contributor

tmpayton commented Sep 27, 2023
edited by cnlucas
Loading

1st Issue pillow Heap-based Buffer Overflow
VULNERABILITY
CWE-122
CVE-2023-4863
CVSS 7.3 HIGH
SNYK-PYTHON-PILLOW-5918878
SCORE
865
Introduced through
wagtail@4.2.3
Fixed in
pillow@10.0.1
Exploit maturity
MATURE

Detailed paths and remediation
Introduced through: project@0.0.0 › wagtail@4.2.3 › pillow@9.5.0
Fix: Pin pillow to version 10.0.1
Security information
Factors contributing to the scoring:
Snyk: CVSS 7.3 - High Severity

NVD: CVSS 8.8 - High Severity
Why are the scores different? Learn how Snyk evaluates vulnerability scores
Overview
Pillow is a PIL (Python Imaging Library) fork.

2nd Issue SNYK HIGH pillow Uncontrolled Resource Consumption ('Resource Exhaustion')
Introduced through
wagtail@4.2.3
Fixed in
pillow@10.0.0

Exploit maturity
No known exploit

Detailed paths and remediation

Introduced through: project@0.0.0 › wagtail@4.2.3 › pillow@9.5.0
Fix: Pin pillow to version 10.0.0

Security information
Factors contributing to the scoring:

Snyk: [CVSS 7.5](https://security.snyk.io/vuln/SNYK-PYTHON-PILLOW-6043904) - High Severity
NVD: Not available. NVD has not yet published its analysis.

Why are the scores different? Learn how Snyk evaluates vulnerability scores
Overview

Affected versions of this package are vulnerable to Uncontrolled Resource Consumption ('Resource Exhaustion') when the ImageFont truetype in an ImageDraw instance operates on a long text argument. An attacker can cause the service to crash by processing a task that uncontrollably allocates memory.

Completion Criteria

  • Fix: Pin pillow to version 10.0.1
@tmpayton tmpayton added Bug Security: high Remediate within 30 days labels Sep 27, 2023
@tmpayton tmpayton added this to the Sprint 22 innovation milestone Sep 27, 2023
@tmpayton tmpayton removed the Bug label Sep 27, 2023
@tmpayton tmpayton mentioned this issue Sep 27, 2023
Closed
2 tasks
@pkfec pkfec self-assigned this Sep 28, 2023
@pkfec
Copy link
Contributor

pkfec commented Sep 28, 2023

ERROR: Cannot install pillow==10.0.1 and wagtail==4.2.3 because these package versions have conflicting dependencies.

@pkfec
Copy link
Contributor

pkfec commented Sep 28, 2023

upgrading wagtail to v5.1.2 alone didn't fix the pillow snyk vulnerability:

✗ Heap-based Buffer Overflow (new) [Critical Severity][https://security.snyk.io/vuln/SNYK-PYTHON-PILLOW-5918878] in pillow@9.5.0
   introduced by wagtail@5.1.2 > pillow@9.5.0

@pkfec
Copy link
Contributor

pkfec commented Sep 28, 2023

upgrading wagtail to v5.1.2 along pinning pillow to v10.0.1 seems to fix this snyk vulnerability

@tmpayton tmpayton mentioned this issue Oct 4, 2023
Closed
2 tasks
@tmpayton tmpayton mentioned this issue Oct 11, 2023
Closed
3 tasks
@cnlucas cnlucas mentioned this issue Oct 18, 2023
Closed
2 tasks
@cnlucas cnlucas mentioned this issue Oct 25, 2023
Closed
3 tasks
@cnlucas cnlucas mentioned this issue Nov 1, 2023
Closed
2 tasks
@cnlucas cnlucas changed the title [Snyk: High] pillow Heap-based Buffer Overflow (Due 10/27/2023) [Snyk: Critical] pillow Heap-based Buffer Overflow (Due 10/27/2023) Nov 8, 2023
@cnlucas cnlucas mentioned this issue Nov 8, 2023
Closed
3 tasks
@pkfec pkfec modified the milestones: Sprint 23.2, Sprint 23.3 Nov 14, 2023
@pkfec pkfec mentioned this issue Nov 15, 2023
Closed
2 tasks
@cnlucas cnlucas mentioned this issue Nov 22, 2023
Closed
3 tasks
@pkfec pkfec modified the milestones: Sprint 23.3, Sprint 23.4 Nov 28, 2023
@tmpayton tmpayton mentioned this issue Nov 29, 2023
Closed
2 tasks
@pkfec pkfec mentioned this issue Nov 30, 2023
Merged
@tmpayton tmpayton mentioned this issue Dec 6, 2023
Closed
3 tasks
@rfultz rfultz removed this from the Sprint 23.4 milestone Dec 12, 2023
@rfultz rfultz added this to the Sprint 23.5 milestone Dec 12, 2023
@cnlucas cnlucas mentioned this issue Dec 13, 2023
Closed
2 tasks
@cnlucas cnlucas mentioned this issue Dec 20, 2023
Closed
3 tasks
@rfultz rfultz modified the milestones: Sprint 23.5, Sprint 23.6 Dec 22, 2023
@pkfec pkfec mentioned this issue Dec 27, 2023
Closed
2 tasks
@pkfec pkfec mentioned this issue Jan 3, 2024
Closed
3 tasks
This was referenced Jan 10, 2024
Closed
Closed
@pkfec pkfec mentioned this issue Jan 24, 2024
Closed
3 tasks
@JonellaCulmer JonellaCulmer mentioned this issue Jan 25, 2024
Closed
8 tasks
@cnlucas cnlucas mentioned this issue Jan 31, 2024
Closed
2 tasks
@pkfec
Copy link
Contributor

pkfec commented Feb 1, 2024

Changes merged in pr #6020. Closing this issue

@pkfec pkfec closed this as completed Feb 1, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@pkfec pkfec

Labels
Security: high Remediate within 30 days
Projects
Website project
Archived in project
Milestone
Sprint 23.6
Development

No branches or pull requests
4 participants
@pkfec @rfultz @JonellaCulmer @tmpayton