levyforchh / calm-dsl Goto Github PK

Vulnerable Library - Pillow-6.2.2-cp27-cp27mu-manylinux1_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/12/ad/61f8dfba88c4e56196bf6d056cdbba64dc9c5dfdfbc97d02e6472feed913/Pillow-6.2.2-cp27-cp27mu-manylinux1_x86_64.whl

Path to dependency file: calm-dsl/requirements.txt

Path to vulnerable library: calm-dsl/requirements.txt

Dependency Hierarchy:

• asciimatics-1.11.0-py2.py3-none-any.whl (Root Library)
  • ❌ Pillow-6.2.2-cp27-cp27mu-manylinux1_x86_64.whl (Vulnerable Library)

Vulnerability Details

In libImaging/SgiRleDecode.c in Pillow through 7.0.0, a number of out-of-bounds reads exist in the parsing of SGI image files, a different issue than CVE-2020-5311.

Publish Date: 2020-06-25

URL: CVE-2020-11538

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: python-pillow/Pillow@41b554b

Release Date: 2020-06-25

Fix Resolution: 7.1.0

Vulnerable Library - Pillow-6.2.2-cp27-cp27mu-manylinux1_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/12/ad/61f8dfba88c4e56196bf6d056cdbba64dc9c5dfdfbc97d02e6472feed913/Pillow-6.2.2-cp27-cp27mu-manylinux1_x86_64.whl

Path to dependency file: calm-dsl/requirements.txt

Path to vulnerable library: calm-dsl/requirements.txt

Dependency Hierarchy:

• asciimatics-1.11.0-py2.py3-none-any.whl (Root Library)
  • ❌ Pillow-6.2.2-cp27-cp27mu-manylinux1_x86_64.whl (Vulnerable Library)

Vulnerability Details

Pillow before 7.1.0 has multiple out-of-bounds reads in libImaging/FliDecode.c.

Publish Date: 2020-06-25

URL: CVE-2020-10177

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: python-pillow/Pillow@41b554b

Release Date: 2020-06-25

Fix Resolution: 7.1.0

Vulnerable Library - Pillow-6.2.2-cp27-cp27mu-manylinux1_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/12/ad/61f8dfba88c4e56196bf6d056cdbba64dc9c5dfdfbc97d02e6472feed913/Pillow-6.2.2-cp27-cp27mu-manylinux1_x86_64.whl

Path to dependency file: calm-dsl/requirements.txt

Path to vulnerable library: calm-dsl/requirements.txt

Dependency Hierarchy:

• asciimatics-1.11.0-py2.py3-none-any.whl (Root Library)
  • ❌ Pillow-6.2.2-cp27-cp27mu-manylinux1_x86_64.whl (Vulnerable Library)

Vulnerability Details

A security issue was found in python-pillow before version 8.1.1. The previous fix for CVE-2020-35654 was insufficent due to incorrect error checking in TiffDecode.c, so the potentially exploitable heap-based buffer overflow when decoding crafted YCbCr files is still possible.

Publish Date: 2021-01-18

URL: CVE-2021-25289

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html

Release Date: 2021-01-18

Fix Resolution: 8.1.1

Vulnerable Library - Pillow-6.2.2-cp27-cp27mu-manylinux1_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/12/ad/61f8dfba88c4e56196bf6d056cdbba64dc9c5dfdfbc97d02e6472feed913/Pillow-6.2.2-cp27-cp27mu-manylinux1_x86_64.whl

Path to dependency file: calm-dsl/requirements.txt

Path to vulnerable library: calm-dsl/requirements.txt

Dependency Hierarchy:

• asciimatics-1.11.0-py2.py3-none-any.whl (Root Library)
  • ❌ Pillow-6.2.2-cp27-cp27mu-manylinux1_x86_64.whl (Vulnerable Library)

Vulnerability Details

In Pillow before 8.1.0, TiffDecode has a heap-based buffer overflow when decoding crafted YCbCr files because of certain interpretation conflicts with LibTIFF in RGBA mode.

Publish Date: 2021-01-12

URL: CVE-2020-35654

CVSS 3 Score Details (8.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35654

Release Date: 2021-01-12

Fix Resolution: 8.1.0

Vulnerable Library - lxml-4.5.1-cp27-cp27mu-manylinux1_x86_64.whl

Powerful and Pythonic XML processing library combining libxml2/libxslt with the ElementTree API.

Library home page: https://files.pythonhosted.org/packages/7a/ac/e5caaa241de06024766872714c38d14e5f885dc453a4b8f9e6463b67c164/lxml-4.5.1-cp27-cp27mu-manylinux1_x86_64.whl

Path to dependency file: calm-dsl/gui-requirements.txt

Path to vulnerable library: calm-dsl/gui-requirements.txt

Dependency Hierarchy:

• jupyter_contrib_nbextensions-0.5.1-py2.py3-none-any.whl (Root Library)
  • ❌ lxml-4.5.1-cp27-cp27mu-manylinux1_x86_64.whl (Vulnerable Library)

Vulnerability Details

lxml 4.6.2 allows XSS. It places the HTML action attribute into defs.link_attrs (in html/defs.py) for later use in input sanitization, but does not do the same for the HTML5 formaction attribute.

Publish Date: 2021-03-21

URL: CVE-2021-28957

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28957

Release Date: 2021-03-21

Fix Resolution: 4.6.2

Vulnerable Library - Pillow-6.2.2-cp27-cp27mu-manylinux1_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/12/ad/61f8dfba88c4e56196bf6d056cdbba64dc9c5dfdfbc97d02e6472feed913/Pillow-6.2.2-cp27-cp27mu-manylinux1_x86_64.whl

Path to dependency file: calm-dsl/requirements.txt

Path to vulnerable library: calm-dsl/requirements.txt

Dependency Hierarchy:

• asciimatics-1.11.0-py2.py3-none-any.whl (Root Library)
  • ❌ Pillow-6.2.2-cp27-cp27mu-manylinux1_x86_64.whl (Vulnerable Library)

Vulnerability Details

In libImaging/PcxDecode.c in Pillow before 7.1.0, an out-of-bounds read can occur when reading PCX files where state->shuffle is instructed to read beyond state->buffer.

Publish Date: 2020-06-25

URL: CVE-2020-10378

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: python-pillow/Pillow@41b554b

Release Date: 2020-06-25

Fix Resolution: 7.1.0

Vulnerable Library - Pillow-6.2.2-cp27-cp27mu-manylinux1_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/12/ad/61f8dfba88c4e56196bf6d056cdbba64dc9c5dfdfbc97d02e6472feed913/Pillow-6.2.2-cp27-cp27mu-manylinux1_x86_64.whl

Path to dependency file: calm-dsl/requirements.txt

Path to vulnerable library: calm-dsl/requirements.txt

Dependency Hierarchy:

• asciimatics-1.11.0-py2.py3-none-any.whl (Root Library)
  • ❌ Pillow-6.2.2-cp27-cp27mu-manylinux1_x86_64.whl (Vulnerable Library)

Vulnerability Details

A security issue was found in python-pillow before version 8.1.1. In TiffDecode.c, invalid tile boundaries could lead to an out of bounds read in TiffReadRGBATile.

Publish Date: 2021-01-18

URL: CVE-2021-25291

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html

Release Date: 2021-01-18

Fix Resolution: 8.1.1

Vulnerable Library - Pillow-6.2.2-cp27-cp27mu-manylinux1_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/12/ad/61f8dfba88c4e56196bf6d056cdbba64dc9c5dfdfbc97d02e6472feed913/Pillow-6.2.2-cp27-cp27mu-manylinux1_x86_64.whl

Path to dependency file: calm-dsl/requirements.txt

Path to vulnerable library: calm-dsl/requirements.txt

Dependency Hierarchy:

• asciimatics-1.11.0-py2.py3-none-any.whl (Root Library)
  • ❌ Pillow-6.2.2-cp27-cp27mu-manylinux1_x86_64.whl (Vulnerable Library)

Vulnerability Details

Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for a BLP container, and thus an attempted memory allocation can be very large.

Publish Date: 2021-03-03

URL: CVE-2021-27921

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://pillow.readthedocs.io/en/stable/releasenotes/8.1.2.html

Release Date: 2021-03-03

Fix Resolution: Pillow - 8.1.2

Vulnerable Library - Pillow-6.2.2-cp27-cp27mu-manylinux1_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/12/ad/61f8dfba88c4e56196bf6d056cdbba64dc9c5dfdfbc97d02e6472feed913/Pillow-6.2.2-cp27-cp27mu-manylinux1_x86_64.whl

Path to dependency file: calm-dsl/requirements.txt

Path to vulnerable library: calm-dsl/requirements.txt

Dependency Hierarchy:

• asciimatics-1.11.0-py2.py3-none-any.whl (Root Library)
  • ❌ Pillow-6.2.2-cp27-cp27mu-manylinux1_x86_64.whl (Vulnerable Library)

Vulnerability Details

In Pillow before 8.1.0, SGIRleDecode has a 4-byte buffer over-read when decoding crafted SGI RLE image files because offsets and length tables are mishandled.

Publish Date: 2021-01-12

URL: CVE-2020-35655

CVSS 3 Score Details (5.4)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35655

Release Date: 2021-01-12

Fix Resolution: 8.1.0

Vulnerable Library - Pillow-6.2.2-cp27-cp27mu-manylinux1_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/12/ad/61f8dfba88c4e56196bf6d056cdbba64dc9c5dfdfbc97d02e6472feed913/Pillow-6.2.2-cp27-cp27mu-manylinux1_x86_64.whl

Path to dependency file: calm-dsl/requirements.txt

Path to vulnerable library: calm-dsl/requirements.txt

Dependency Hierarchy:

• asciimatics-1.11.0-py2.py3-none-any.whl (Root Library)
  • ❌ Pillow-6.2.2-cp27-cp27mu-manylinux1_x86_64.whl (Vulnerable Library)

Vulnerability Details

A security issue was found in python-pillow before version 8.1.1. There is an out of bounds read in SGIRleDecode.c, since pillow 4.3.0.

Publish Date: 2021-01-18

URL: CVE-2021-25293

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html

Release Date: 2021-01-18

Fix Resolution: 8.1.1

Vulnerable Library - Pillow-6.2.2-cp27-cp27mu-manylinux1_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/12/ad/61f8dfba88c4e56196bf6d056cdbba64dc9c5dfdfbc97d02e6472feed913/Pillow-6.2.2-cp27-cp27mu-manylinux1_x86_64.whl

Path to dependency file: calm-dsl/requirements.txt

Path to vulnerable library: calm-dsl/requirements.txt

Dependency Hierarchy:

• asciimatics-1.11.0-py2.py3-none-any.whl (Root Library)
  • ❌ Pillow-6.2.2-cp27-cp27mu-manylinux1_x86_64.whl (Vulnerable Library)

Vulnerability Details

A security issue was found in python-pillow before version 8.1.1. The PDF parser has a catastrophic backtracking regex that could be used in a denial of service (DoS) attack.

Publish Date: 2021-01-18

URL: CVE-2021-25292

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html

Release Date: 2021-01-18

Fix Resolution: 8.1.1

Vulnerable Library - Pillow-6.2.2-cp27-cp27mu-manylinux1_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/12/ad/61f8dfba88c4e56196bf6d056cdbba64dc9c5dfdfbc97d02e6472feed913/Pillow-6.2.2-cp27-cp27mu-manylinux1_x86_64.whl

Path to dependency file: calm-dsl/requirements.txt

Path to vulnerable library: calm-dsl/requirements.txt

Dependency Hierarchy:

• asciimatics-1.11.0-py2.py3-none-any.whl (Root Library)
  • ❌ Pillow-6.2.2-cp27-cp27mu-manylinux1_x86_64.whl (Vulnerable Library)

Vulnerability Details

In libImaging/Jpeg2KDecode.c in Pillow before 7.1.0, there are multiple out-of-bounds reads via a crafted JP2 file.

Publish Date: 2020-06-25

URL: CVE-2020-10994

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: python-pillow/Pillow@41b554b

Release Date: 2020-06-25

Fix Resolution: 7.1.0

Vulnerable Library - Pillow-6.2.2-cp27-cp27mu-manylinux1_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/12/ad/61f8dfba88c4e56196bf6d056cdbba64dc9c5dfdfbc97d02e6472feed913/Pillow-6.2.2-cp27-cp27mu-manylinux1_x86_64.whl

Path to dependency file: calm-dsl/requirements.txt

Path to vulnerable library: calm-dsl/requirements.txt

Dependency Hierarchy:

• asciimatics-1.11.0-py2.py3-none-any.whl (Root Library)
  • ❌ Pillow-6.2.2-cp27-cp27mu-manylinux1_x86_64.whl (Vulnerable Library)

Vulnerability Details

Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICNS container, and thus an attempted memory allocation can be very large.

Publish Date: 2021-03-03

URL: CVE-2021-27922

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://pillow.readthedocs.io/en/stable/releasenotes/8.1.2.html

Release Date: 2021-03-03

Fix Resolution: Pillow - 8.1.2

Vulnerable Library - Pillow-6.2.2-cp27-cp27mu-manylinux1_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/12/ad/61f8dfba88c4e56196bf6d056cdbba64dc9c5dfdfbc97d02e6472feed913/Pillow-6.2.2-cp27-cp27mu-manylinux1_x86_64.whl

Path to dependency file: calm-dsl/requirements.txt

Path to vulnerable library: calm-dsl/requirements.txt

Dependency Hierarchy:

• asciimatics-1.11.0-py2.py3-none-any.whl (Root Library)
  • ❌ Pillow-6.2.2-cp27-cp27mu-manylinux1_x86_64.whl (Vulnerable Library)

Vulnerability Details

In Pillow before 8.1.0, PcxDecode has a buffer over-read when decoding a crafted PCX file because the user-supplied stride value is trusted for buffer calculations.

Publish Date: 2021-01-12

URL: CVE-2020-35653

CVSS 3 Score Details (7.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35653

Release Date: 2021-01-12

Fix Resolution: 8.1.0

Vulnerable Library - notebook-5.7.9-py2.py3-none-any.whl

A web-based notebook environment for interactive computing

Library home page: https://files.pythonhosted.org/packages/69/3c/ddeb2946f33f3e4058f4b7f996ae737c044a4c5c66a552a6e64817421b80/notebook-5.7.9-py2.py3-none-any.whl

Path to dependency file: calm-dsl/gui-requirements.txt

Path to vulnerable library: calm-dsl/gui-requirements.txt

Dependency Hierarchy:

• jupyter-1.0.0-py2.py3-none-any.whl (Root Library)
  • ipywidgets-7.5.1-py2.py3-none-any.whl
    • widgetsnbextension-3.5.1-py2.py3-none-any.whl
      • ❌ notebook-5.7.9-py2.py3-none-any.whl (Vulnerable Library)

Vulnerability Details

Jupyter Notebook before version 6.1.5 has an Open redirect vulnerability. A maliciously crafted link to a notebook server could redirect the browser to a different website. All notebook servers are technically affected, however, these maliciously crafted links can only be reasonably made for known notebook server hosts. A link to your notebook server may appear safe, but ultimately redirect to a spoofed server on the public internet. The issue is patched in version 6.1.5.

Publish Date: 2020-11-18

URL: CVE-2020-26215

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-c7vm-f5p4-8fqh

Release Date: 2020-11-18

Fix Resolution: 6.1.5

Vulnerable Library - Pillow-6.2.2-cp27-cp27mu-manylinux1_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/12/ad/61f8dfba88c4e56196bf6d056cdbba64dc9c5dfdfbc97d02e6472feed913/Pillow-6.2.2-cp27-cp27mu-manylinux1_x86_64.whl

Path to dependency file: calm-dsl/requirements.txt

Path to vulnerable library: calm-dsl/requirements.txt

Dependency Hierarchy:

• asciimatics-1.11.0-py2.py3-none-any.whl (Root Library)
  • ❌ Pillow-6.2.2-cp27-cp27mu-manylinux1_x86_64.whl (Vulnerable Library)

Vulnerability Details

A security issue was found in python-pillow before version 8.1.1. In TiffDecode.c, there is a negative-offset memcpy with an invalid size.

Publish Date: 2021-01-18

URL: CVE-2021-25290

CVSS 3 Score Details (5.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html

Release Date: 2021-01-18

Fix Resolution: 8.1.1

Vulnerable Library - Pillow-6.2.2-cp27-cp27mu-manylinux1_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/12/ad/61f8dfba88c4e56196bf6d056cdbba64dc9c5dfdfbc97d02e6472feed913/Pillow-6.2.2-cp27-cp27mu-manylinux1_x86_64.whl

Path to dependency file: calm-dsl/requirements.txt

Path to vulnerable library: calm-dsl/requirements.txt

Dependency Hierarchy:

• asciimatics-1.11.0-py2.py3-none-any.whl (Root Library)
  • ❌ Pillow-6.2.2-cp27-cp27mu-manylinux1_x86_64.whl (Vulnerable Library)

Vulnerability Details

In Pillow before 7.1.0, there are two Buffer Overflows in libImaging/TiffDecode.c.

Publish Date: 2020-06-25

URL: CVE-2020-10379

CVSS 3 Score Details (7.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: python-pillow/Pillow@41b554b

Release Date: 2020-06-25

Fix Resolution: 7.1.0

Vulnerable Library - lxml-4.5.1-cp27-cp27mu-manylinux1_x86_64.whl

Powerful and Pythonic XML processing library combining libxml2/libxslt with the ElementTree API.

Library home page: https://files.pythonhosted.org/packages/7a/ac/e5caaa241de06024766872714c38d14e5f885dc453a4b8f9e6463b67c164/lxml-4.5.1-cp27-cp27mu-manylinux1_x86_64.whl

Path to dependency file: calm-dsl/gui-requirements.txt

Path to vulnerable library: calm-dsl/gui-requirements.txt

Dependency Hierarchy:

• jupyter_contrib_nbextensions-0.5.1-py2.py3-none-any.whl (Root Library)
  • ❌ lxml-4.5.1-cp27-cp27mu-manylinux1_x86_64.whl (Vulnerable Library)

Vulnerability Details

A XSS vulnerability was discovered in python-lxml's clean module. The module's parser didn't properly imitate browsers, which caused different behaviors between the sanitizer and the user's page. A remote attacker could exploit this flaw to run arbitrary HTML/JS code.

Publish Date: 2020-12-03

URL: CVE-2020-27783

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1901633

Release Date: 2020-10-27

Fix Resolution: 4.6.1

Vulnerable Library - ipaddress-1.0.23-py2.py3-none-any.whl

IPv4/IPv6 manipulation library

Library home page: https://files.pythonhosted.org/packages/c2/f8/49697181b1651d8347d24c095ce46c7346c37335ddc7d255833e7cde674d/ipaddress-1.0.23-py2.py3-none-any.whl

Path to dependency file: calm-dsl/gui-requirements.txt

Path to vulnerable library: calm-dsl/gui-requirements.txt

Dependency Hierarchy:

• jupyter-1.0.0-py2.py3-none-any.whl (Root Library)
  • ipywidgets-7.5.1-py2.py3-none-any.whl
    • widgetsnbextension-3.5.1-py2.py3-none-any.whl
      • notebook-5.7.9-py2.py3-none-any.whl
        • ❌ ipaddress-1.0.23-py2.py3-none-any.whl (Vulnerable Library)

Vulnerability Details

Lib/ipaddress.py in Python through 3.8.3 improperly computes hash values in the IPv4Interface and IPv6Interface classes, which might allow a remote attacker to cause a denial of service if an application is affected by the performance of a dictionary containing IPv4Interface or IPv6Interface objects, and this attacker can cause many dictionary entries to be created. This is fixed in: v3.5.10, v3.5.10rc1; v3.6.12; v3.7.9; v3.8.4, v3.8.4rc1, v3.8.5, v3.8.6, v3.8.6rc1; v3.9.0, v3.9.0b4, v3.9.0b5, v3.9.0rc1, v3.9.0rc2.

Publish Date: 2020-06-18

URL: CVE-2020-14422

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://security-tracker.debian.org/tracker/CVE-2020-14422

Release Date: 2020-06-18

Fix Resolution: 3.5.3-1+deb9u2, 3.7.3-2+deb10u2, 3.8.4~rc1-1

Vulnerable Library - Pillow-6.2.2-cp27-cp27mu-manylinux1_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/12/ad/61f8dfba88c4e56196bf6d056cdbba64dc9c5dfdfbc97d02e6472feed913/Pillow-6.2.2-cp27-cp27mu-manylinux1_x86_64.whl

Path to dependency file: calm-dsl/requirements.txt

Path to vulnerable library: calm-dsl/requirements.txt

Dependency Hierarchy:

• asciimatics-1.11.0-py2.py3-none-any.whl (Root Library)
  • ❌ Pillow-6.2.2-cp27-cp27mu-manylinux1_x86_64.whl (Vulnerable Library)

Vulnerability Details

Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICO container, and thus an attempted memory allocation can be very large.

Publish Date: 2021-03-03

URL: CVE-2021-27923

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://pillow.readthedocs.io/en/stable/releasenotes/8.1.2.html

Release Date: 2021-03-03

Fix Resolution: Pillow - 8.1.2