rpm package
suse/python-Pillow&distro=SUSE OpenStack Cloud 7
pkg:rpm/suse/python-Pillow&distro=SUSE%20OpenStack%20Cloud%207
Vulnerabilities (58)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2021-34552 | — | < 2.8.1-4.25.1 | 2.8.1-4.25.1 | Jul 13, 2021 | Pillow through 8.2.0 and PIL (aka Python Imaging Library) through 1.1.7 allow an attacker to pass controlled parameters directly into a convert function to trigger a buffer overflow in Convert.c. | ||
| CVE-2021-28677 | — | < 2.8.1-4.22.1 | 2.8.1-4.22.1 | Jun 2, 2021 | An issue was discovered in Pillow before 8.2.0. For EPS data, the readline implementation used in EPSImageFile has to deal with any combination of \r and \n as line endings. It used an accidentally quadratic method of accumulating lines while looking for a line ending. A maliciou | ||
| CVE-2021-25288 | — | < 2.8.1-4.22.1 | 2.8.1-4.22.1 | Jun 2, 2021 | An issue was discovered in Pillow before 8.2.0. There is an out-of-bounds read in J2kDecode, in j2ku_gray_i. | ||
| CVE-2021-25287 | — | < 2.8.1-4.22.1 | 2.8.1-4.22.1 | Jun 2, 2021 | An issue was discovered in Pillow before 8.2.0. There is an out-of-bounds read in J2kDecode, in j2ku_graya_la. | ||
| CVE-2021-28675 | — | < 2.8.1-4.22.1 | 2.8.1-4.22.1 | Jun 2, 2021 | An issue was discovered in Pillow before 8.2.0. PSDImagePlugin.PsdImageFile lacked a sanity check on the number of input layers relative to the size of the data block. This could lead to a DoS on Image.open prior to Image.load. | ||
| CVE-2020-10743 | — | < 2.8.1-4.12.1 | 2.8.1-4.12.1 | Jun 2, 2021 | It was discovered that OpenShift Container Platform's (OCP) distribution of Kibana could open in an iframe, which made it possible to intercept and manipulate requests. This flaw allows an attacker to trick a user into performing arbitrary actions in OCP's distribution of Kibana, | ||
| CVE-2021-28676 | — | < 2.8.1-4.22.1 | 2.8.1-4.22.1 | Jun 2, 2021 | An issue was discovered in Pillow before 8.2.0. For FLI data, FliDecode did not properly check that the block advance was non-zero, potentially leading to an infinite loop on load. | ||
| CVE-2021-25290 | — | < 2.8.1-4.22.1 | 2.8.1-4.22.1 | Mar 19, 2021 | An issue was discovered in Pillow before 8.1.1. In TiffDecode.c, there is a negative-offset memcpy with an invalid size. | ||
| CVE-2021-27922 | — | < 2.8.1-4.22.1 | 2.8.1-4.22.1 | Mar 3, 2021 | Pillow before 8.1.2 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICNS container, and thus an attempted memory allocation can be very large. | ||
| CVE-2021-27923 | — | < 2.8.1-4.22.1 | 2.8.1-4.22.1 | Mar 3, 2021 | Pillow before 8.1.2 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICO container, and thus an attempted memory allocation can be very large. | ||
| CVE-2020-35653 | — | < 2.8.1-4.22.1 | 2.8.1-4.22.1 | Jan 12, 2021 | In Pillow before 8.1.0, PcxDecode has a buffer over-read when decoding a crafted PCX file because the user-supplied stride value is trusted for buffer calculations. | ||
| CVE-2020-17376 | — | < 2.8.1-4.17.2 | 2.8.1-4.17.2 | Aug 26, 2020 | An issue was discovered in Guest.migrate in virt/libvirt/guest.py in OpenStack Nova before 19.3.1, 20.x before 20.3.1, and 21.0.0. By performing a soft reboot of an instance that has previously undergone live migration, a user may gain access to destination host devices that shar | ||
| CVE-2020-11110 | — | < 2.8.1-4.17.2 | 2.8.1-4.17.2 | Jul 27, 2020 | Grafana through 6.7.1 allows stored XSS due to insufficient input protection in the originalUrl field, which allows an attacker to inject JavaScript code that will be executed after clicking on Open Original Dashboard after visiting the snapshot. | ||
| CVE-2020-10177 | — | < 2.8.1-4.17.2 | 2.8.1-4.17.2 | Jun 25, 2020 | Pillow before 7.1.0 has multiple out-of-bounds reads in libImaging/FliDecode.c. | ||
| CVE-2020-10994 | — | < 2.8.1-4.17.2 | 2.8.1-4.17.2 | Jun 25, 2020 | In libImaging/Jpeg2KDecode.c in Pillow before 7.1.0, there are multiple out-of-bounds reads via a crafted JP2 file. | ||
| CVE-2020-10378 | — | < 2.8.1-4.17.2 | 2.8.1-4.17.2 | Jun 25, 2020 | In libImaging/PcxDecode.c in Pillow before 7.1.0, an out-of-bounds read can occur when reading PCX files where state->shuffle is instructed to read beyond state->buffer. | ||
| CVE-2020-13379 | — | < 2.8.1-4.12.1 | 2.8.1-4.12.1 | Jun 3, 2020 | The avatar feature in Grafana 3.0.1 through 7.0.1 has an SSRF Incorrect Access Control issue. This vulnerability allows any unauthenticated user/client to make Grafana send HTTP requests to any URL and return its result to the user/client. This can be used to gain information abo | ||
| CVE-2020-13596 | — | < 2.8.1-4.12.1 | 2.8.1-4.12.1 | Jun 3, 2020 | An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0.7. Query parameters generated by the Django admin ForeignKeyRawIdWidget were not properly URL encoded, leading to a possibility of an XSS attack. | ||
| CVE-2020-13254 | — | < 2.8.1-4.12.1 | 2.8.1-4.12.1 | Jun 3, 2020 | An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0.7. In cases where a memcached backend does not perform key validation, passing malformed cache keys could result in a key collision, and potential data leakage. | ||
| CVE-2018-18625 | — | < 2.8.1-4.17.2 | 2.8.1-4.17.2 | Jun 2, 2020 | Grafana 5.3.1 has XSS via a link on the "Dashboard > All Panels > General" screen. NOTE: this issue exists because of an incomplete fix for CVE-2018-12099. |
- CVE-2021-34552Jul 13, 2021affected < 2.8.1-4.25.1fixed 2.8.1-4.25.1
Pillow through 8.2.0 and PIL (aka Python Imaging Library) through 1.1.7 allow an attacker to pass controlled parameters directly into a convert function to trigger a buffer overflow in Convert.c.
- CVE-2021-28677Jun 2, 2021affected < 2.8.1-4.22.1fixed 2.8.1-4.22.1
An issue was discovered in Pillow before 8.2.0. For EPS data, the readline implementation used in EPSImageFile has to deal with any combination of \r and \n as line endings. It used an accidentally quadratic method of accumulating lines while looking for a line ending. A maliciou
- CVE-2021-25288Jun 2, 2021affected < 2.8.1-4.22.1fixed 2.8.1-4.22.1
An issue was discovered in Pillow before 8.2.0. There is an out-of-bounds read in J2kDecode, in j2ku_gray_i.
- CVE-2021-25287Jun 2, 2021affected < 2.8.1-4.22.1fixed 2.8.1-4.22.1
An issue was discovered in Pillow before 8.2.0. There is an out-of-bounds read in J2kDecode, in j2ku_graya_la.
- CVE-2021-28675Jun 2, 2021affected < 2.8.1-4.22.1fixed 2.8.1-4.22.1
An issue was discovered in Pillow before 8.2.0. PSDImagePlugin.PsdImageFile lacked a sanity check on the number of input layers relative to the size of the data block. This could lead to a DoS on Image.open prior to Image.load.
- CVE-2020-10743Jun 2, 2021affected < 2.8.1-4.12.1fixed 2.8.1-4.12.1
It was discovered that OpenShift Container Platform's (OCP) distribution of Kibana could open in an iframe, which made it possible to intercept and manipulate requests. This flaw allows an attacker to trick a user into performing arbitrary actions in OCP's distribution of Kibana,
- CVE-2021-28676Jun 2, 2021affected < 2.8.1-4.22.1fixed 2.8.1-4.22.1
An issue was discovered in Pillow before 8.2.0. For FLI data, FliDecode did not properly check that the block advance was non-zero, potentially leading to an infinite loop on load.
- CVE-2021-25290Mar 19, 2021affected < 2.8.1-4.22.1fixed 2.8.1-4.22.1
An issue was discovered in Pillow before 8.1.1. In TiffDecode.c, there is a negative-offset memcpy with an invalid size.
- CVE-2021-27922Mar 3, 2021affected < 2.8.1-4.22.1fixed 2.8.1-4.22.1
Pillow before 8.1.2 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICNS container, and thus an attempted memory allocation can be very large.
- CVE-2021-27923Mar 3, 2021affected < 2.8.1-4.22.1fixed 2.8.1-4.22.1
Pillow before 8.1.2 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICO container, and thus an attempted memory allocation can be very large.
- CVE-2020-35653Jan 12, 2021affected < 2.8.1-4.22.1fixed 2.8.1-4.22.1
In Pillow before 8.1.0, PcxDecode has a buffer over-read when decoding a crafted PCX file because the user-supplied stride value is trusted for buffer calculations.
- CVE-2020-17376Aug 26, 2020affected < 2.8.1-4.17.2fixed 2.8.1-4.17.2
An issue was discovered in Guest.migrate in virt/libvirt/guest.py in OpenStack Nova before 19.3.1, 20.x before 20.3.1, and 21.0.0. By performing a soft reboot of an instance that has previously undergone live migration, a user may gain access to destination host devices that shar
- CVE-2020-11110Jul 27, 2020affected < 2.8.1-4.17.2fixed 2.8.1-4.17.2
Grafana through 6.7.1 allows stored XSS due to insufficient input protection in the originalUrl field, which allows an attacker to inject JavaScript code that will be executed after clicking on Open Original Dashboard after visiting the snapshot.
- CVE-2020-10177Jun 25, 2020affected < 2.8.1-4.17.2fixed 2.8.1-4.17.2
Pillow before 7.1.0 has multiple out-of-bounds reads in libImaging/FliDecode.c.
- CVE-2020-10994Jun 25, 2020affected < 2.8.1-4.17.2fixed 2.8.1-4.17.2
In libImaging/Jpeg2KDecode.c in Pillow before 7.1.0, there are multiple out-of-bounds reads via a crafted JP2 file.
- CVE-2020-10378Jun 25, 2020affected < 2.8.1-4.17.2fixed 2.8.1-4.17.2
In libImaging/PcxDecode.c in Pillow before 7.1.0, an out-of-bounds read can occur when reading PCX files where state->shuffle is instructed to read beyond state->buffer.
- CVE-2020-13379Jun 3, 2020affected < 2.8.1-4.12.1fixed 2.8.1-4.12.1
The avatar feature in Grafana 3.0.1 through 7.0.1 has an SSRF Incorrect Access Control issue. This vulnerability allows any unauthenticated user/client to make Grafana send HTTP requests to any URL and return its result to the user/client. This can be used to gain information abo
- CVE-2020-13596Jun 3, 2020affected < 2.8.1-4.12.1fixed 2.8.1-4.12.1
An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0.7. Query parameters generated by the Django admin ForeignKeyRawIdWidget were not properly URL encoded, leading to a possibility of an XSS attack.
- CVE-2020-13254Jun 3, 2020affected < 2.8.1-4.12.1fixed 2.8.1-4.12.1
An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0.7. In cases where a memcached backend does not perform key validation, passing malformed cache keys could result in a key collision, and potential data leakage.
- CVE-2018-18625Jun 2, 2020affected < 2.8.1-4.17.2fixed 2.8.1-4.17.2
Grafana 5.3.1 has XSS via a link on the "Dashboard > All Panels > General" screen. NOTE: this issue exists because of an incomplete fix for CVE-2018-12099.
Page 1 of 3