Fluid Attacks Database

Description

Out-of-bounds Read in Pillow path_getbbox in path.c in Pillow before 9.0.0 has a buffer over-read during initialization of ImagePath.Path.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
pypi	pillow	>=0 <9.0.0	9.0.0
alpine v3.15	py3-pillow	=7.1.1-r0 \|\| =7.1.2-r0 \|\| =7.2.0-r0 \|\| =8.1.0-r0 \|\| =8.1.2-r0 \|\| =8.1.2-r1 \|\| =8.4.0-r0 \|\| =8.4.0-r1 \|\| >=0 <8.4.0-r2	8.4.0-r2
debian 11	pillow	=8.1.2+dfsg-0.3 \|\| >=0 <8.1.2+dfsg-0.3+deb11u1	8.1.2+dfsg-0.3+deb11u1
debian 12	pillow	>=0 <9.0.0-1	9.0.0-1
debian 13	pillow	>=0 <9.0.0-1	9.0.0-1
debian 14	pillow	>=0 <9.0.0-1	9.0.0-1
rpm rhel8.2	python-pillow	<0:5.1.1-14.el8_2	0:5.1.1-14.el8_2
rpm rhel7	python-pillow	<0:2.0.0-23.gitd1c6db8.el7_9	0:2.0.0-23.gitd1c6db8.el7_9
rpm rhel8	python-pillow	<0:5.1.1-18.el8_5	0:5.1.1-18.el8_5
rpm rhel8.4	python-pillow	<0:5.1.1-14.el8_4	0:5.1.1-14.el8_4

Aliases

References

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.