CVE-2014-9601

Description

Pillow before 2.7.0 allows remote attackers to cause a denial of service via a compressed text chunk in a PNG image that has a large size when it is decompressed.

CVSS Metrics

• v4.0•HIGH•Score: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
• v3.1•HIGH•Score: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
• v2.0•MEDIUM•Score: 5AV:N/AC:L/Au:N/C:N/I:N/A:P

EPSS Trends

Current EPSS score: 1.03%• Percentile: 78%

Techniques & Countermeasures

• CWE-20•Improper Input Validation

  The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Affected Systems

• fedoraproject•fedora

  21

• opensuse•opensuse

  13.2

• Unknown•Solaris

  11.2

• PyPI•pillow

  < 2.7.0

• python•pillow

  ≤ 2.6.2

References (12)

• http://lists.opensuse.org/opensuse-updates/2015-04/msg00056.html
• https://www.djangoproject.com/weblog/2015/jan/02/pillow-security-release/
• http://lists.fedoraproject.org/pipermail/package-announce/2015-January/148442.html
• http://www.oracle.com/technetwork/topics/security/bulletinjul2015-2511963.html
• http://pillow.readthedocs.org/releasenotes/2.7.0.html
• http://www.securityfocus.com/bid/77758
• https://github.com/python-pillow/Pillow/pull/1060
• https://nvd.nist.gov/vuln/detail/CVE-2014-9601
• https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2015-16.yaml
• https://github.com/python-pillow/Pillow
• https://web.archive.org/web/20200227221255/http://www.securityfocus.com/bid/77758
• https://www.djangoproject.com/weblog/2015/jan/02/pillow-security-release