CVE-2014-1933 – pillow

Package

Manager: pip
Name: pillow
Vulnerable Version: >=0 <2.3.1

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00111 pctl0.30136

Details

Pillow Temporary file name leakage The (1) JpegImagePlugin.py and (2) EpsImagePlugin.py scripts in Python Image Library (PIL) 1.1.7 and earlier and Pillow before 2.3.1 uses the names of temporary files on the command line, which makes it easier for local users to conduct symlink attacks by listing the processes.

Metadata

Created: 2020-05-18T17:41:19Z
Modified: 2025-04-13T23:22:51Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/05/GHSA-r854-96gq-rfg3/GHSA-r854-96gq-rfg3.json
CWE IDs: ["CWE-200"]
Alternative ID: GHSA-r854-96gq-rfg3
Finding: F028
Auto approve: 1