Fluid Attacks Database

Description

Pillow Buffer overflow in Jpeg2KEncode.c Heap-based buffer overflow in the j2k_encode_entry function in Pillow 2.5.0 through 3.1.1 allows remote attackers to cause a denial of service (memory corruption) via a crafted Jpeg2000 file.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
pypi	pillow	>=2.5.0 <3.1.2	3.1.2
debian 13	pillow	>=0 <3.2.0-1	3.2.0-1
debian 12	pillow	>=0 <3.2.0-1	3.2.0-1
debian 11	pillow	>=0 <3.2.0-1	3.2.0-1
debian 14	pillow	>=0 <3.2.0-1	3.2.0-1

Aliases

1. CVE-2016-30762. NVD-2016-30763. OSV-2016-30764. OSV-DEBIAN-2016-30765. GCVE-2016-30766. SECURITY-TRACKER-CVE-2016-3076

References

1. https://bugzilla.redhat.com/show_bug.cgi?id=13219292. https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2017-92.yaml3. https://github.com/python-pillow/Pillow/blob/4.1.x/docs/releasenotes/3.1.2.rst4. https://web.archive.org/web/20200227174644/http://www.securityfocus.com/bid/980425. http://pillow.readthedocs.io/en/4.1.x/releasenotes/3.1.2.html

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.