Fluid Attacks Database

Description

Pillow subject to DoS via SAMPLESPERPIXEL tag Pillow starting with 9.2.0 and prior to 9.3.0 allows denial of service via SAMPLESPERPIXEL. A large value in the SAMPLESPERPIXEL tag could lead to a memory and runtime DOS in TiffImagePlugin.py when setting up the context for image decoding. This issue has been patched in version 9.3.0.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 14	pillow	>=0 <9.3.0-1	9.3.0-1
debian 13	pillow	>=0 <9.3.0-1	9.3.0-1
debian 12	pillow	>=0 <9.3.0-1	9.3.0-1
pypi	pillow	>=9.2.0 <9.3.0	9.3.0

Aliases

1. CVE-2022-451992. NVD-2022-451993. OSV-DEBIAN-2022-451994. OSV-2022-451995. GCVE-2022-451996. SECURITY-TRACKER-CVE-2022-451997. security.gentoo.org

References

1. https://github.com/python-pillow/Pillow/pull/67002. https://github.com/python-pillow/Pillow/commit/2444cddab2f83f28687c7c20871574acbb6dbcf33. https://bugs.gentoo.org/8787694. https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2022-42980.yaml5. https://github.com/python-pillow/Pillow/releases/tag/9.3.0

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.