python-Pillow (SUSE:OpenStack Cloud 7) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the SUSE:OpenStack Cloud 7 package python-Pillow, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (58)
CVE-2019-19844 — CVSS 9.8 (critical): Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to…
CVE-2021-34552 — CVSS 9.8 (critical): Pillow through 8.2.0 and PIL (aka Python Imaging Library) through 1.1.7 allow an attacker to pass controlled parameters directly into a…
CVE-2016-4009 — CVSS 9.8 (critical): Integer overflow in the ImagingResampleHorizontal function in libImaging/Resample.c in Pillow before 3.1.1 allows remote attackers to have…
CVE-2018-17954 — CVSS 9.3 (critical): An Improper Privilege Management in crowbar of SUSE OpenStack Cloud 7, SUSE OpenStack Cloud 8, SUSE OpenStack Cloud 9, SUSE OpenStack Cloud…
CVE-2021-25288 — CVSS 9.1 (critical): An issue was discovered in Pillow before 8.2.0. There is an out-of-bounds read in J2kDecode, in j2ku_gray_i.
CVE-2021-25287 — CVSS 9.1 (critical): An issue was discovered in Pillow before 8.2.0. There is an out-of-bounds read in J2kDecode, in j2ku_graya_la.
CVE-2020-17376 — CVSS 8.3 (high): An issue was discovered in Guest.migrate in virt/libvirt/guest.py in OpenStack Nova before 19.3.1, 20.x before 20.3.1, and 21.0.0. By…
CVE-2020-13379 — CVSS 8.2 (high): The avatar feature in Grafana 3.0.1 through 7.0.1 has an SSRF Incorrect Access Control issue. This vulnerability allows any unauthenticated…
CVE-2016-9190 — CVSS 7.8 (high): Pillow before 3.3.2 allows context-dependent attackers to execute arbitrary code by using the "crafted image file" approach, related to an…
CVE-2019-15026 — CVSS 7.5 (high): memcached 1.5.16, when UNIX sockets are used, has a stack-based buffer over-read in conn_to_str in memcached.c.
CVE-2019-15043 — CVSS 7.5 (high): In Grafana 2.x through 6.x before 6.3.4, parts of the HTTP API allow unauthenticated use. This makes it possible to run a denial of service…
CVE-2021-28676 — CVSS 7.5 (high): An issue was discovered in Pillow before 8.2.0. For FLI data, FliDecode did not properly check that the block advance was non-zero…
CVE-2019-16865 — CVSS 7.5 (high): An issue was discovered in Pillow before 6.2.0. When reading specially crafted invalid image files, the library can either allocate very…
CVE-2019-18874 — CVSS 7.5 (high): psutil (aka python-psutil) through 5.6.5 can have a double free. This occurs because of refcount mishandling within a while or for loop…
CVE-2020-8151 — CVSS 7.5 (high): There is a possible information disclosure issue in Active Resource <v5.1.1 that could allow an attacker to create specially crafted…
CVE-2019-19911 — CVSS 7.5 (high): There is a DoS vulnerability in Pillow before 6.2.2 caused by FpxImagePlugin.py calling the range function on an unvalidated 32-bit integer…
CVE-2021-27922 — CVSS 7.5 (high): Pillow before 8.1.2 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is…
CVE-2021-25290 — CVSS 7.5 (high): An issue was discovered in Pillow before 8.1.1. In TiffDecode.c, there is a negative-offset memcpy with an invalid size.
CVE-2020-10663 — CVSS 7.5 (high): The JSON gem through 2.2.0 for Ruby, as used in Ruby 2.4 through 2.4.9, 2.5 through 2.5.7, and 2.6 through 2.6.5, has an Unsafe Object…
CVE-2020-11076 — CVSS 7.5 (high): In Puma (RubyGem) before 4.3.4 and 3.12.5, an attacker could smuggle an HTTP response, by using an invalid transfer-encoding header. The…
CVE-2020-5390 — CVSS 7.5 (high): PySAML2 before 5.0.0 does not check that the signature in a SAML document is enveloped and thus signature wrapping is effective, i.e., it…
CVE-2018-1000115 — CVSS 7.5 (high): Memcached version 1.5.5 contains an Insufficient Control of Network Message Volume (Network Amplification, CWE-406) vulnerability in the…
CVE-2021-28677 — CVSS 7.5 (high): An issue was discovered in Pillow before 8.2.0. For EPS data, the readline implementation used in EPSImageFile has to deal with any…
CVE-2021-27923 — CVSS 7.5 (high): Pillow before 8.1.2 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is…
CVE-2019-11596 — CVSS 7.5 (high): In memcached before 1.5.14, a NULL pointer dereference was found in the "lru mode" and "lru temp_ttl" commands. This causes a denial of…
CVE-2020-35653 — CVSS 7.1 (high): In Pillow before 8.1.0, PcxDecode has a buffer over-read when decoding a crafted PCX file because the user-supplied stride value is trusted…
CVE-2019-16785 — CVSS 7.1 (high): Waitress through version 1.3.1 implemented a "MAY" part of the RFC7230 which states: "Although the line terminator for the start-line and…
CVE-2019-16786 — CVSS 7.1 (high): Waitress through version 1.3.1 would parse the Transfer-Encoding header and only look for a single string value, if that value was not…
CVE-2019-16789 — CVSS 7.1 (high): In Waitress through version 1.4.0, if a proxy server is used in front of waitress, an invalid request may be sent by an attacker that…
CVE-2019-16792 — CVSS 7.1 (high): Waitress through version 1.3.1 allows request smuggling by sending the Content-Length header twice. Waitress would header fold a double…
CVE-2020-11077 — CVSS 6.8 (medium): In Puma (RubyGem) before 4.3.5 and 3.12.6, a client could smuggle a request through a proxy, causing the proxy to send a response back to…
CVE-2019-3498 — CVSS 6.5 (medium): In Django 1.11.x before 1.11.18, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, an Improper Neutralization of Special Elements in Output Used…
CVE-2016-2533 — CVSS 6.5 (medium): Buffer overflow in the ImagingPcdDecode function in PcdDecode.c in Pillow before 3.1.1 and Python Imaging Library (PIL) 1.1.7 and earlier…
CVE-2016-0775 — CVSS 6.5 (medium): Buffer overflow in the ImagingFliDecode function in libImaging/FliDecode.c in Pillow before 3.1.1 allows remote attackers to cause a denial…
CVE-2020-5247 — CVSS 6.5 (medium): In Puma (RubyGem) before 4.3.2 and before 3.12.3, if an application using Puma allows untrusted input in a response header, an attacker can…
CVE-2017-4965 — CVSS 6.1 (medium): An issue was discovered in these Pivotal RabbitMQ versions: all 3.4.x versions, all 3.5.x versions, and 3.6.x versions prior to 3.6.9; and…
CVE-2017-4967 — CVSS 6.1 (medium): An issue was discovered in these Pivotal RabbitMQ versions: all 3.4.x versions, all 3.5.x versions, and 3.6.x versions prior to 3.6.9; and…
CVE-2018-18623 — CVSS 6.1 (medium): Grafana 5.3.1 has XSS via the "Dashboard > Text Panel" screen. NOTE: this issue exists because of an incomplete fix for CVE-2018-12099.
CVE-2018-18624 — CVSS 6.1 (medium): Grafana 5.3.1 has XSS via a column style on the "Dashboard > Table Panel" screen. NOTE: this issue exists because of an incomplete fix for…
CVE-2018-18625 — CVSS 6.1 (medium): Grafana 5.3.1 has XSS via a link on the "Dashboard > All Panels > General" screen. NOTE: this issue exists because of an incomplete fix for…
CVE-2020-13596 — CVSS 6.1 (medium): An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0.7. Query parameters generated by the Django admin…
CVE-2019-0201 — CVSS 5.9 (medium): An issue is present in Apache ZooKeeper 1.0.0 to 3.4.13 and 3.5.0-alpha to 3.5.4-beta. ZooKeeper’s getACL() command doesn’t check any…
CVE-2020-13254 — CVSS 5.9 (medium): An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0.7. In cases where a memcached backend does not perform key…
CVE-2016-3076 — CVSS 5.5 (medium): Heap-based buffer overflow in the j2k_encode_entry function in Pillow 2.5.0 through 3.1.1 allows remote attackers to cause a denial of…
CVE-2020-10994 — CVSS 5.5 (medium): In libImaging/Jpeg2KDecode.c in Pillow before 7.1.0, there are multiple out-of-bounds reads via a crafted JP2 file.
CVE-2020-10378 — CVSS 5.5 (medium): In libImaging/PcxDecode.c in Pillow before 7.1.0, an out-of-bounds read can occur when reading PCX files where state->shuffle is instructed…
CVE-2021-28675 — CVSS 5.5 (medium): An issue was discovered in Pillow before 8.2.0. PSDImagePlugin.PsdImageFile lacked a sanity check on the number of input layers relative to…
CVE-2016-9189 — CVSS 5.5 (medium): Pillow before 3.3.2 allows context-dependent attackers to obtain sensitive information by using the "crafted image file" approach, related…
CVE-2020-11110 — CVSS 5.4 (medium): Grafana through 6.7.1 allows stored XSS due to insufficient input protection in the originalUrl field, which allows an attacker to inject…
CVE-2017-1000246 — CVSS 5.3 (medium): Python package pysaml2 version 4.4.0 and earlier reuses the initialization vector across encryptions in the IDP server, resulting in weak…
CVE-2020-10744 — CVSS 5.0 (medium): An incomplete fix was found for the fix of the flaw CVE-2020-1733 ansible: insecure temporary directory when running become_user from…
CVE-2020-1733 — CVSS 5.0 (medium): A race condition flaw was found in Ansible Engine 2.7.17 and prior, 2.8.9 and prior, 2.9.6 and prior when running a playbook with an…
CVE-2020-10743 — CVSS 4.3 (medium): It was discovered that OpenShift Container Platform's (OCP) distribution of Kibana could open in an iframe, which made it possible to…
CVE-2019-3828 — CVSS 4.2 (medium): Ansible fetch module before versions 2.5.15, 2.6.14, 2.7.8 has a path traversal vulnerability which allows copying and overwriting files…