Moderate severityNVD Advisory· Published Jan 12, 2021· Updated Aug 4, 2024
CVE-2020-35655
CVE-2020-35655
Description
In Pillow before 8.1.0, SGIRleDecode has a 4-byte buffer over-read when decoding crafted SGI RLE image files because offsets and length tables are mishandled.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
pillowPyPI | >= 4.3.0, < 8.1.0 | 8.1.0 |
Affected products
9- Pillow/Pillowdescription
- osv-coords8 versionspkg:bitnami/pillowpkg:pypi/pillowpkg:rpm/almalinux/python3-pillowpkg:rpm/opensuse/python-CairoSVG&distro=openSUSE%20Leap%2015.2pkg:rpm/opensuse/python-Pillow&distro=openSUSE%20Leap%2015.2pkg:rpm/opensuse/python-Pillow&distro=openSUSE%20Tumbleweedpkg:rpm/suse/python-Pillow&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/python-Pillow&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209
>= 4.3.0, < 8.1.0+ 7 more
- (no CPE)range: >= 4.3.0, < 8.1.0
- (no CPE)range: >= 4.3.0, < 8.1.0
- (no CPE)range: < 5.1.1-16.el8
- (no CPE)range: < 2.5.1-lp152.2.3.1
- (no CPE)range: < 8.3.1-lp152.5.3.1
- (no CPE)range: < 8.3.2-1.2
- (no CPE)range: < 5.2.0-3.8.1
- (no CPE)range: < 5.2.0-3.8.1
Patches
Vulnerability mechanics
References
10- github.com/advisories/GHSA-hf64-x4gq-p99hghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6BYVI5G44MRIPERKYDQEL3S3YQCZTVHE/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BF553AMNNNBW7SH4IM4MNE4M6GNZQ7YD/mitrevendor-advisoryx_refsource_FEDORA
- nvd.nist.gov/vuln/detail/CVE-2020-35655ghsaADVISORY
- github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2021-71.yamlghsaWEB
- github.com/python-pillow/Pillow/commit/2f409261eb1228e166868f8f0b5da5cda52e55bfghsaWEB
- github.com/python-pillow/Pillow/commit/7e95c63fa7f503f185d3d9eb16b9cee1e54d1e46ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6BYVI5G44MRIPERKYDQEL3S3YQCZTVHEghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BF553AMNNNBW7SH4IM4MNE4M6GNZQ7YDghsaWEB
- pillow.readthedocs.io/en/stable/releasenotes/index.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.