logo

Database

Improper dependency pinning In pillow

Description

Duplicate Advisory: Bundled libwebp in Pillow vulnerable

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-56pw-mpj4-fxww. This link is maintained to preserve external references.

Original Description

Pillow versions before v10.0.1 bundled libwebp binaries in wheels that are vulnerable to CVE-2023-5129 (previously CVE-2023-4863). Pillow v10.0.1 upgrades the bundled libwebp binary to v1.3.2.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. NVD-2023-48632. NVD-2023-51293. GCVE-GHSA-56pw-mpj4-fxww

References

1. https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2023-175.yaml2. https://github.com/python-pillow/Pillow/blob/main/CHANGES.rst#1001-2023-09-15

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.