Vulnerable Library - Pillow-6.2.1-cp27-cp27mu-manylinux1_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/1b/08/ff620ef5a6128ee6e7a505f5716f81fce7b71f3a69e99646ebe64e0b9984/Pillow-6.2.1-cp27-cp27mu-manylinux1_x86_64.whl

Path to dependency file: TheSpreadBot/requirements.txt

Path to vulnerable library: TheSpreadBot/requirements.txt

Dependency Hierarchy:

• ❌ Pillow-6.2.1-cp27-cp27mu-manylinux1_x86_64.whl (Vulnerable Library)

Vulnerability Details

Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for a BLP container, and thus an attempted memory allocation can be very large.

Publish Date: 2021-03-03

URL: CVE-2021-27921

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Vulnerable Library - Pillow-6.2.1-cp27-cp27mu-manylinux1_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/1b/08/ff620ef5a6128ee6e7a505f5716f81fce7b71f3a69e99646ebe64e0b9984/Pillow-6.2.1-cp27-cp27mu-manylinux1_x86_64.whl

Path to dependency file: TheSpreadBot/requirements.txt

Path to vulnerable library: TheSpreadBot/requirements.txt

Dependency Hierarchy:

• ❌ Pillow-6.2.1-cp27-cp27mu-manylinux1_x86_64.whl (Vulnerable Library)

Vulnerability Details

In libImaging/SgiRleDecode.c in Pillow through 7.0.0, a number of out-of-bounds reads exist in the parsing of SGI image files, a different issue than CVE-2020-5311.

Publish Date: 2020-06-25

URL: CVE-2020-11538

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: python-pillow/Pillow@41b554b

Release Date: 2020-06-25

Fix Resolution: 7.1.0

Vulnerable Library - urllib3-1.25.7-py2.py3-none-any.whl

HTTP library with thread-safe connection pooling, file post, and more.

Library home page: https://files.pythonhosted.org/packages/b4/40/a9837291310ee1ccc242ceb6ebfd9eb21539649f193a7c8c86ba15b98539/urllib3-1.25.7-py2.py3-none-any.whl

Path to dependency file: TheSpreadBot/requirements.txt

Path to vulnerable library: TheSpreadBot/requirements.txt

Dependency Hierarchy:

• ❌ urllib3-1.25.7-py2.py3-none-any.whl (Vulnerable Library)

Vulnerability Details

urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.

Publish Date: 2020-09-30

URL: CVE-2020-26137

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26137

Release Date: 2020-09-30

Fix Resolution: 1.25.9

Vulnerable Library - Pillow-6.2.1-cp27-cp27mu-manylinux1_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/1b/08/ff620ef5a6128ee6e7a505f5716f81fce7b71f3a69e99646ebe64e0b9984/Pillow-6.2.1-cp27-cp27mu-manylinux1_x86_64.whl

Path to dependency file: TheSpreadBot/requirements.txt

Path to vulnerable library: TheSpreadBot/requirements.txt

Dependency Hierarchy:

• ❌ Pillow-6.2.1-cp27-cp27mu-manylinux1_x86_64.whl (Vulnerable Library)

Vulnerability Details

Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICO container, and thus an attempted memory allocation can be very large.

Publish Date: 2021-03-03

URL: CVE-2021-27923

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Vulnerable Library - Pillow-6.2.1-cp27-cp27mu-manylinux1_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/1b/08/ff620ef5a6128ee6e7a505f5716f81fce7b71f3a69e99646ebe64e0b9984/Pillow-6.2.1-cp27-cp27mu-manylinux1_x86_64.whl

Path to dependency file: TheSpreadBot/requirements.txt

Path to vulnerable library: TheSpreadBot/requirements.txt

Dependency Hierarchy:

• ❌ Pillow-6.2.1-cp27-cp27mu-manylinux1_x86_64.whl (Vulnerable Library)

Vulnerability Details

In Pillow before 8.1.0, TiffDecode has a heap-based buffer overflow when decoding crafted YCbCr files because of certain interpretation conflicts with LibTIFF in RGBA mode.

Publish Date: 2021-01-12

URL: CVE-2020-35654

CVSS 3 Score Details (8.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35654

Release Date: 2021-01-12

Fix Resolution: 8.1.0

Vulnerable Library - cryptography-3.3.2-cp27-cp27mu-manylinux2010_x86_64.whl

cryptography is a package which provides cryptographic recipes and primitives to Python developers.

Library home page: https://files.pythonhosted.org/packages/bf/a0/c630e9e3b7e7ea2492db1ca47ef7f741ef1a09f19c6642ef1a16ce996d9b/cryptography-3.3.2-cp27-cp27mu-manylinux2010_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• python_telegram_bot-11.1.0-py2.py3-none-any.whl (Root Library)
  • ❌ cryptography-3.3.2-cp27-cp27mu-manylinux2010_x86_64.whl (Vulnerable Library)

Found in base branch: master

Vulnerability Details

There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but the public structure definition for GENERAL_NAME incorrectly specified the type of the x400Address field as ASN1_TYPE. This field is subsequently interpreted by the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an ASN1_STRING. When CRL checking is enabled (i.e. the application sets the X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass arbitrary pointers to a memcmp call, enabling them to read memory contents or enact a denial of service. In most cases, the attack requires the attacker to provide both the certificate chain and CRL, neither of which need to have a valid signature. If the attacker only controls one of these inputs, the other input must already contain an X.400 address as a CRL distribution point, which is uncommon. As such, this vulnerability is most likely to only affect applications which have implemented their own functionality for retrieving CRLs over a network.

Publish Date: 2023-02-08

URL: CVE-2023-0286

CVSS 3 Score Details (7.4)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-x4qr-2fvf-3mr5

Release Date: 2023-02-08

Fix Resolution: openssl-3.0.8;cryptography - 39.0.1;openssl-src - 111.25.0+1.1.1t,300.0.12+3.0.8

Vulnerable Library - urllib3-1.26.4-py2.py3-none-any.whl

HTTP library with thread-safe connection pooling, file post, and more.

Library home page: https://files.pythonhosted.org/packages/09/c6/d3e3abe5b4f4f16cf0dfc9240ab7ce10c2baa0e268989a4e3ec19e90c84e/urllib3-1.26.4-py2.py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• requests-2.25.1-py2.py3-none-any.whl (Root Library)
  • ❌ urllib3-1.26.4-py2.py3-none-any.whl (Vulnerable Library)

Found in base branch: master

Vulnerability Details

An issue was discovered in urllib3 before 1.26.5. When provided with a URL containing many @ characters in the authority component, the authority regular expression exhibits catastrophic backtracking, causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect.

Publish Date: 2021-06-29

URL: CVE-2021-33503

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-q2q7-5pp4-w6pg

Release Date: 2021-06-29

Fix Resolution (urllib3): 1.26.5

Direct dependency fix Resolution (requests): 2.26.0

Vulnerable Library - Pillow-6.2.1-cp27-cp27mu-manylinux1_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/1b/08/ff620ef5a6128ee6e7a505f5716f81fce7b71f3a69e99646ebe64e0b9984/Pillow-6.2.1-cp27-cp27mu-manylinux1_x86_64.whl

Path to dependency file: TheSpreadBot/requirements.txt

Path to vulnerable library: TheSpreadBot/requirements.txt

Dependency Hierarchy:

• ❌ Pillow-6.2.1-cp27-cp27mu-manylinux1_x86_64.whl (Vulnerable Library)

Vulnerability Details

In libImaging/Jpeg2KDecode.c in Pillow before 7.1.0, there are multiple out-of-bounds reads via a crafted JP2 file.

Publish Date: 2020-06-25

URL: CVE-2020-10994

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: python-pillow/Pillow@41b554b

Release Date: 2020-06-25

Fix Resolution: 7.1.0

Vulnerable Library - cryptography-2.8-cp27-cp27mu-manylinux1_x86_64.whl

cryptography is a package which provides cryptographic recipes and primitives to Python developers.

Library home page: https://files.pythonhosted.org/packages/e2/67/4597fc5d5de01bb44887844647ab8e73239079dd478c35c52d58a9eb3d45/cryptography-2.8-cp27-cp27mu-manylinux1_x86_64.whl

Path to dependency file: TheSpreadBot/requirements.txt

Path to vulnerable library: TheSpreadBot/requirements.txt

Dependency Hierarchy:

• ❌ cryptography-2.8-cp27-cp27mu-manylinux1_x86_64.whl (Vulnerable Library)

Vulnerability Details

In the cryptography package before 3.3.2 for Python, certain sequences of update calls to symmetrically encrypt multi-GB values could result in an integer overflow and buffer overflow, as demonstrated by the Fernet class.

Publish Date: 2021-02-07

URL: CVE-2020-36242

CVSS 3 Score Details (9.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://github.com/pyca/cryptography/blob/master/CHANGELOG.rst

Release Date: 2021-02-07

Fix Resolution: cryptography - 3.3.2

Vulnerable Library - cryptography-3.3.2-cp27-cp27mu-manylinux2010_x86_64.whl

cryptography is a package which provides cryptographic recipes and primitives to Python developers.

Library home page: https://files.pythonhosted.org/packages/bf/a0/c630e9e3b7e7ea2492db1ca47ef7f741ef1a09f19c6642ef1a16ce996d9b/cryptography-3.3.2-cp27-cp27mu-manylinux2010_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• python_telegram_bot-11.1.0-py2.py3-none-any.whl (Root Library)
  • ❌ cryptography-3.3.2-cp27-cp27mu-manylinux2010_x86_64.whl (Vulnerable Library)

Found in base branch: master

Vulnerability Details

The cryptography package before 41.0.2 for Python mishandles SSH certificates that have critical options.

Publish Date: 2023-07-14

URL: CVE-2023-38325

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-38325

Release Date: 2023-07-14

Fix Resolution (cryptography): 41.0.2

Direct dependency fix Resolution (python-telegram-bot): 12.0.0

Vulnerable Library - Pillow-6.2.1-cp27-cp27mu-manylinux1_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/1b/08/ff620ef5a6128ee6e7a505f5716f81fce7b71f3a69e99646ebe64e0b9984/Pillow-6.2.1-cp27-cp27mu-manylinux1_x86_64.whl

Path to dependency file: TheSpreadBot/requirements.txt

Path to vulnerable library: TheSpreadBot/requirements.txt

Dependency Hierarchy:

• ❌ Pillow-6.2.1-cp27-cp27mu-manylinux1_x86_64.whl (Vulnerable Library)

Vulnerability Details

libImaging/TiffDecode.c in Pillow before 6.2.2 has a TIFF decoding integer overflow, related to realloc.

Publish Date: 2020-01-03

URL: CVE-2020-5310

CVSS 3 Score Details (8.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5310

Release Date: 2020-01-03

Fix Resolution: Pillow - 6.2.2

Vulnerable Library - urllib3-1.25.7-py2.py3-none-any.whl

HTTP library with thread-safe connection pooling, file post, and more.

Library home page: https://files.pythonhosted.org/packages/b4/40/a9837291310ee1ccc242ceb6ebfd9eb21539649f193a7c8c86ba15b98539/urllib3-1.25.7-py2.py3-none-any.whl

Path to dependency file: TheSpreadBot/requirements.txt

Path to vulnerable library: TheSpreadBot/requirements.txt

Dependency Hierarchy:

• ❌ urllib3-1.25.7-py2.py3-none-any.whl (Vulnerable Library)

Vulnerability Details

The _encode_invalid_chars function in util/url.py in the urllib3 library 1.25.2 through 1.25.7 for Python allows a denial of service (CPU consumption) because of an inefficient algorithm. The percent_encodings array contains all matches of percent encodings. It is not deduplicated. For a URL of length N, the size of percent_encodings may be up to O(N). The next step (normalize existing percent-encoded bytes) also takes up to O(N) for each step, so the total time is O(N^2). If percent_encodings were deduplicated, the time to compute _encode_invalid_chars would be O(kN), where k is at most 484 ((10+6*2)^2).

Publish Date: 2020-03-06

URL: CVE-2020-7212

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7212

Release Date: 2020-03-06

Fix Resolution: 1.25.8

Vulnerable Library - Pillow-6.2.1-cp27-cp27mu-manylinux1_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/1b/08/ff620ef5a6128ee6e7a505f5716f81fce7b71f3a69e99646ebe64e0b9984/Pillow-6.2.1-cp27-cp27mu-manylinux1_x86_64.whl

Path to dependency file: TheSpreadBot/requirements.txt

Path to vulnerable library: TheSpreadBot/requirements.txt

Dependency Hierarchy:

• ❌ Pillow-6.2.1-cp27-cp27mu-manylinux1_x86_64.whl (Vulnerable Library)

Vulnerability Details

A security issue was found in python-pillow before version 8.1.1. The PDF parser has a catastrophic backtracking regex that could be used in a denial of service (DoS) attack.

Publish Date: 2021-01-18

URL: CVE-2021-25292

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html

Release Date: 2021-01-18

Fix Resolution: 8.1.1

Vulnerable Library - ipaddress-1.0.23-py2.py3-none-any.whl

IPv4/IPv6 manipulation library

Library home page: https://files.pythonhosted.org/packages/c2/f8/49697181b1651d8347d24c095ce46c7346c37335ddc7d255833e7cde674d/ipaddress-1.0.23-py2.py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• python_telegram_bot-11.1.0-py2.py3-none-any.whl (Root Library)
  • cryptography-3.3.2-cp27-cp27mu-manylinux2010_x86_64.whl
    • ❌ ipaddress-1.0.23-py2.py3-none-any.whl (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Lib/ipaddress.py in Python through 3.8.3 improperly computes hash values in the IPv4Interface and IPv6Interface classes, which might allow a remote attacker to cause a denial of service if an application is affected by the performance of a dictionary containing IPv4Interface or IPv6Interface objects, and this attacker can cause many dictionary entries to be created. This is fixed in: v3.5.10, v3.5.10rc1; v3.6.12; v3.7.9; v3.8.4, v3.8.4rc1, v3.8.5, v3.8.6, v3.8.6rc1; v3.9.0, v3.9.0b4, v3.9.0b5, v3.9.0rc1, v3.9.0rc2.

Publish Date: 2020-06-18

URL: CVE-2020-14422

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14422

Release Date: 2020-06-18

Fix Resolution: v3.5.10,v3.6.12,v3.7.9,v3.8.4v3.9.0

Vulnerable Library - cryptography-3.3.2-cp27-cp27mu-manylinux2010_x86_64.whl

cryptography is a package which provides cryptographic recipes and primitives to Python developers.

Library home page: https://files.pythonhosted.org/packages/bf/a0/c630e9e3b7e7ea2492db1ca47ef7f741ef1a09f19c6642ef1a16ce996d9b/cryptography-3.3.2-cp27-cp27mu-manylinux2010_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• python_telegram_bot-11.1.0-py2.py3-none-any.whl (Root Library)
  • ❌ cryptography-3.3.2-cp27-cp27mu-manylinux2010_x86_64.whl (Vulnerable Library)

Found in base branch: master

Vulnerability Details

cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. In affected versions Cipher.update_into would accept Python objects which implement the buffer protocol, but provide only immutable buffers. This would allow immutable objects (such as bytes) to be mutated, thus violating fundamental rules of Python and resulting in corrupted output. This now correctly raises an exception. This issue has been present since update_into was originally introduced in cryptography 1.8.

Publish Date: 2023-02-07

URL: CVE-2023-23931

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-23931

Release Date: 2023-02-07

Fix Resolution (cryptography): 39.0.1

Direct dependency fix Resolution (python-telegram-bot): 12.0.0

Vulnerable Library - future-0.18.2.tar.gz

Clean single-source support for Python 3 and 2

Library home page: https://files.pythonhosted.org/packages/45/0b/38b06fd9b92dc2b68d58b75f900e97884c45bedd2ff83203d933cf5851c9/future-0.18.2.tar.gz

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• python_telegram_bot-11.1.0-py2.py3-none-any.whl (Root Library)
  • ❌ future-0.18.2.tar.gz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

An issue discovered in Python Charmers Future 0.18.2 and earlier allows remote attackers to cause a denial of service via crafted Set-Cookie header from malicious web server.

Publish Date: 2022-12-23

URL: CVE-2022-40899

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Vulnerable Library - cryptography-2.8-cp27-cp27mu-manylinux1_x86_64.whl

cryptography is a package which provides cryptographic recipes and primitives to Python developers.

Library home page: https://files.pythonhosted.org/packages/e2/67/4597fc5d5de01bb44887844647ab8e73239079dd478c35c52d58a9eb3d45/cryptography-2.8-cp27-cp27mu-manylinux1_x86_64.whl

Path to dependency file: TheSpreadBot/requirements.txt

Path to vulnerable library: TheSpreadBot/requirements.txt

Dependency Hierarchy:

• ❌ cryptography-2.8-cp27-cp27mu-manylinux1_x86_64.whl (Vulnerable Library)

Vulnerability Details

python-cryptography 3.2 is vulnerable to Bleichenbacher timing attacks in the RSA decryption API, via timed processing of valid PKCS#1 v1.5 ciphertext.

Publish Date: 2021-01-11

URL: CVE-2020-25659

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-hggm-jpg3-v476

Release Date: 2020-09-17

Fix Resolution: 3.2

Vulnerable Library - Pillow-6.2.1-cp27-cp27mu-manylinux1_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/1b/08/ff620ef5a6128ee6e7a505f5716f81fce7b71f3a69e99646ebe64e0b9984/Pillow-6.2.1-cp27-cp27mu-manylinux1_x86_64.whl

Path to dependency file: TheSpreadBot/requirements.txt

Path to vulnerable library: TheSpreadBot/requirements.txt

Dependency Hierarchy:

• ❌ Pillow-6.2.1-cp27-cp27mu-manylinux1_x86_64.whl (Vulnerable Library)

Vulnerability Details

A security issue was found in python-pillow before version 8.1.1. The previous fix for CVE-2020-35654 was insufficent due to incorrect error checking in TiffDecode.c, so the potentially exploitable heap-based buffer overflow when decoding crafted YCbCr files is still possible.

Publish Date: 2021-01-18

URL: CVE-2021-25289

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html

Release Date: 2021-01-18

Fix Resolution: 8.1.1

Vulnerable Library - Pillow-6.2.1-cp27-cp27mu-manylinux1_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/1b/08/ff620ef5a6128ee6e7a505f5716f81fce7b71f3a69e99646ebe64e0b9984/Pillow-6.2.1-cp27-cp27mu-manylinux1_x86_64.whl

Path to dependency file: TheSpreadBot/requirements.txt

Path to vulnerable library: TheSpreadBot/requirements.txt

Dependency Hierarchy:

• ❌ Pillow-6.2.1-cp27-cp27mu-manylinux1_x86_64.whl (Vulnerable Library)

Vulnerability Details

libImaging/PcxDecode.c in Pillow before 6.2.2 has a PCX P mode buffer overflow.

Publish Date: 2020-01-03

URL: CVE-2020-5312

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5312

Release Date: 2020-01-03

Fix Resolution: Pillow - 6.2.2

Vulnerable Library - certifi-2020.12.5-py2.py3-none-any.whl

Python package for providing Mozilla's CA Bundle.

Library home page: https://files.pythonhosted.org/packages/5e/a0/5f06e1e1d463903cf0c0eebeb751791119ed7a4b3737fdc9a77f1cdfb51f/certifi-2020.12.5-py2.py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• requests-2.25.1-py2.py3-none-any.whl (Root Library)
  • ❌ certifi-2020.12.5-py2.py3-none-any.whl (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi prior to version 2023.07.22 recognizes "e-Tugra" root certificates. e-Tugra's root certificates were subject to an investigation prompted by reporting of security issues in their systems. Certifi 2023.07.22 removes root certificates from "e-Tugra" from the root store.

Publish Date: 2023-07-25

URL: CVE-2023-37920

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-xqr8-7jwr-rhp7

Release Date: 2023-07-25

Fix Resolution (certifi): 2023.7.22

Direct dependency fix Resolution (requests): 2.26.0

Vulnerable Library - Pillow-6.2.1-cp27-cp27mu-manylinux1_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/1b/08/ff620ef5a6128ee6e7a505f5716f81fce7b71f3a69e99646ebe64e0b9984/Pillow-6.2.1-cp27-cp27mu-manylinux1_x86_64.whl

Path to dependency file: TheSpreadBot/requirements.txt

Path to vulnerable library: TheSpreadBot/requirements.txt

Dependency Hierarchy:

• ❌ Pillow-6.2.1-cp27-cp27mu-manylinux1_x86_64.whl (Vulnerable Library)

Vulnerability Details

Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICNS container, and thus an attempted memory allocation can be very large.

Publish Date: 2021-03-03

URL: CVE-2021-27922

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Vulnerable Library - Pillow-6.2.1-cp27-cp27mu-manylinux1_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/1b/08/ff620ef5a6128ee6e7a505f5716f81fce7b71f3a69e99646ebe64e0b9984/Pillow-6.2.1-cp27-cp27mu-manylinux1_x86_64.whl

Path to dependency file: TheSpreadBot/requirements.txt

Path to vulnerable library: TheSpreadBot/requirements.txt

Dependency Hierarchy:

• ❌ Pillow-6.2.1-cp27-cp27mu-manylinux1_x86_64.whl (Vulnerable Library)

Vulnerability Details

A security issue was found in python-pillow before version 8.1.1. In TiffDecode.c, invalid tile boundaries could lead to an out of bounds read in TiffReadRGBATile.

Publish Date: 2021-01-18

URL: CVE-2021-25291

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html

Release Date: 2021-01-18

Fix Resolution: 8.1.1

Vulnerable Library - Pillow-6.2.1-cp27-cp27mu-manylinux1_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/1b/08/ff620ef5a6128ee6e7a505f5716f81fce7b71f3a69e99646ebe64e0b9984/Pillow-6.2.1-cp27-cp27mu-manylinux1_x86_64.whl

Path to dependency file: TheSpreadBot/requirements.txt

Path to vulnerable library: TheSpreadBot/requirements.txt

Dependency Hierarchy:

• ❌ Pillow-6.2.1-cp27-cp27mu-manylinux1_x86_64.whl (Vulnerable Library)

Vulnerability Details

libImaging/SgiRleDecode.c in Pillow before 6.2.2 has an SGI buffer overflow.

Publish Date: 2020-01-03

URL: CVE-2020-5311

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5311

Release Date: 2020-01-03

Fix Resolution: Pillow - 6.2.2

Vulnerable Library - certifi-2020.12.5-py2.py3-none-any.whl

Python package for providing Mozilla's CA Bundle.

Library home page: https://files.pythonhosted.org/packages/5e/a0/5f06e1e1d463903cf0c0eebeb751791119ed7a4b3737fdc9a77f1cdfb51f/certifi-2020.12.5-py2.py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• requests-2.25.1-py2.py3-none-any.whl (Root Library)
  • ❌ certifi-2020.12.5-py2.py3-none-any.whl (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi 2022.12.07 removes root certificates from "TrustCor" from the root store. These are in the process of being removed from Mozilla's trust store. TrustCor's root certificates are being removed pursuant to an investigation prompted by media reporting that TrustCor's ownership also operated a business that produced spyware. Conclusions of Mozilla's investigation can be found in the linked google group discussion.

Publish Date: 2022-12-07

URL: CVE-2022-23491

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-23491

Release Date: 2022-12-07

Fix Resolution (certifi): 2022.12.7

Direct dependency fix Resolution (requests): 2.26.0

Vulnerable Library - Pillow-6.2.1-cp27-cp27mu-manylinux1_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/1b/08/ff620ef5a6128ee6e7a505f5716f81fce7b71f3a69e99646ebe64e0b9984/Pillow-6.2.1-cp27-cp27mu-manylinux1_x86_64.whl

Path to dependency file: TheSpreadBot/requirements.txt

Path to vulnerable library: TheSpreadBot/requirements.txt

Dependency Hierarchy:

• ❌ Pillow-6.2.1-cp27-cp27mu-manylinux1_x86_64.whl (Vulnerable Library)

Vulnerability Details

In libImaging/PcxDecode.c in Pillow before 7.1.0, an out-of-bounds read can occur when reading PCX files where state->shuffle is instructed to read beyond state->buffer.

Publish Date: 2020-06-25

URL: CVE-2020-10378

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: python-pillow/Pillow@41b554b

Release Date: 2020-06-25

Fix Resolution: 7.1.0

Vulnerable Library - Pillow-6.2.1-cp27-cp27mu-manylinux1_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/1b/08/ff620ef5a6128ee6e7a505f5716f81fce7b71f3a69e99646ebe64e0b9984/Pillow-6.2.1-cp27-cp27mu-manylinux1_x86_64.whl

Path to dependency file: TheSpreadBot/requirements.txt

Path to vulnerable library: TheSpreadBot/requirements.txt

Dependency Hierarchy:

• ❌ Pillow-6.2.1-cp27-cp27mu-manylinux1_x86_64.whl (Vulnerable Library)

Vulnerability Details

In Pillow before 8.1.0, SGIRleDecode has a 4-byte buffer over-read when decoding crafted SGI RLE image files because offsets and length tables are mishandled.

Publish Date: 2021-01-12

URL: CVE-2020-35655

CVSS 3 Score Details (5.4)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35655

Release Date: 2021-01-12

Fix Resolution: 8.1.0

Vulnerable Library - Pillow-6.2.1-cp27-cp27mu-manylinux1_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/1b/08/ff620ef5a6128ee6e7a505f5716f81fce7b71f3a69e99646ebe64e0b9984/Pillow-6.2.1-cp27-cp27mu-manylinux1_x86_64.whl

Path to dependency file: TheSpreadBot/requirements.txt

Path to vulnerable library: TheSpreadBot/requirements.txt

Dependency Hierarchy:

• ❌ Pillow-6.2.1-cp27-cp27mu-manylinux1_x86_64.whl (Vulnerable Library)

Vulnerability Details

A security issue was found in python-pillow before version 8.1.1. In TiffDecode.c, there is a negative-offset memcpy with an invalid size.

Publish Date: 2021-01-18

URL: CVE-2021-25290

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html

Release Date: 2021-01-18

Fix Resolution: 8.1.1

Vulnerable Library - Pillow-6.2.1-cp27-cp27mu-manylinux1_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/1b/08/ff620ef5a6128ee6e7a505f5716f81fce7b71f3a69e99646ebe64e0b9984/Pillow-6.2.1-cp27-cp27mu-manylinux1_x86_64.whl

Path to dependency file: TheSpreadBot/requirements.txt

Path to vulnerable library: TheSpreadBot/requirements.txt

Dependency Hierarchy:

• ❌ Pillow-6.2.1-cp27-cp27mu-manylinux1_x86_64.whl (Vulnerable Library)

Vulnerability Details

A security issue was found in python-pillow before version 8.1.1. There is an out of bounds read in SGIRleDecode.c, since pillow 4.3.0.

Publish Date: 2021-01-18

URL: CVE-2021-25293

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html

Release Date: 2021-01-18

Fix Resolution: 8.1.1

Vulnerable Library - Pillow-6.2.1-cp27-cp27mu-manylinux1_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/1b/08/ff620ef5a6128ee6e7a505f5716f81fce7b71f3a69e99646ebe64e0b9984/Pillow-6.2.1-cp27-cp27mu-manylinux1_x86_64.whl

Path to dependency file: TheSpreadBot/requirements.txt

Path to vulnerable library: TheSpreadBot/requirements.txt

Dependency Hierarchy:

• ❌ Pillow-6.2.1-cp27-cp27mu-manylinux1_x86_64.whl (Vulnerable Library)

Vulnerability Details

Pillow before 7.1.0 has multiple out-of-bounds reads in libImaging/FliDecode.c.

Publish Date: 2020-06-25

URL: CVE-2020-10177

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: python-pillow/Pillow@41b554b

Release Date: 2020-06-25

Fix Resolution: 7.1.0

Vulnerable Library - Pillow-6.2.1-cp27-cp27mu-manylinux1_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/1b/08/ff620ef5a6128ee6e7a505f5716f81fce7b71f3a69e99646ebe64e0b9984/Pillow-6.2.1-cp27-cp27mu-manylinux1_x86_64.whl

Path to dependency file: TheSpreadBot/requirements.txt

Path to vulnerable library: TheSpreadBot/requirements.txt

Dependency Hierarchy:

• ❌ Pillow-6.2.1-cp27-cp27mu-manylinux1_x86_64.whl (Vulnerable Library)

Vulnerability Details

libImaging/FliDecode.c in Pillow before 6.2.2 has an FLI buffer overflow.

Publish Date: 2020-01-03

URL: CVE-2020-5313

CVSS 3 Score Details (7.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5313

Release Date: 2020-01-03

Fix Resolution: Pillow - 6.2.2

Vulnerable Library - cryptography-3.3.2-cp27-cp27mu-manylinux2010_x86_64.whl

cryptography is a package which provides cryptographic recipes and primitives to Python developers.

Library home page: https://files.pythonhosted.org/packages/bf/a0/c630e9e3b7e7ea2492db1ca47ef7f741ef1a09f19c6642ef1a16ce996d9b/cryptography-3.3.2-cp27-cp27mu-manylinux2010_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• python_telegram_bot-11.1.0-py2.py3-none-any.whl (Root Library)
  • ❌ cryptography-3.3.2-cp27-cp27mu-manylinux2010_x86_64.whl (Vulnerable Library)

Found in base branch: master

Vulnerability Details

cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Calling load_pem_pkcs7_certificates or load_der_pkcs7_certificates could lead to a NULL-pointer dereference and segfault. Exploitation of this vulnerability poses a serious risk of Denial of Service (DoS) for any application attempting to deserialize a PKCS7 blob/certificate. The consequences extend to potential disruptions in system availability and stability. This vulnerability has been patched in version 41.0.6.

Publish Date: 2023-11-29

URL: CVE-2023-49083

CVSS 3 Score Details (9.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-49083

Release Date: 2023-11-29

Fix Resolution: cryptography - 41.0.6

Vulnerable Library - Pillow-6.2.1-cp27-cp27mu-manylinux1_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/1b/08/ff620ef5a6128ee6e7a505f5716f81fce7b71f3a69e99646ebe64e0b9984/Pillow-6.2.1-cp27-cp27mu-manylinux1_x86_64.whl

Path to dependency file: TheSpreadBot/requirements.txt

Path to vulnerable library: TheSpreadBot/requirements.txt

Dependency Hierarchy:

• ❌ Pillow-6.2.1-cp27-cp27mu-manylinux1_x86_64.whl (Vulnerable Library)

Vulnerability Details

There is a DoS vulnerability in Pillow before 6.2.2 caused by FpxImagePlugin.py calling the range function on an unvalidated 32-bit integer if the number of bands is large. On Windows running 32-bit Python, this results in an OverflowError or MemoryError due to the 2 GB limit. However, on Linux running 64-bit Python this results in the process being terminated by the OOM killer.

Publish Date: 2020-01-05

URL: CVE-2019-19911

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://github.com/python-pillow/Pillow/tree/6.2.2

Release Date: 2020-01-05

Fix Resolution: Pillow - 6.2.2

Vulnerable Library - Pillow-6.2.1-cp27-cp27mu-manylinux1_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/1b/08/ff620ef5a6128ee6e7a505f5716f81fce7b71f3a69e99646ebe64e0b9984/Pillow-6.2.1-cp27-cp27mu-manylinux1_x86_64.whl

Path to dependency file: TheSpreadBot/requirements.txt

Path to vulnerable library: TheSpreadBot/requirements.txt

Dependency Hierarchy:

• ❌ Pillow-6.2.1-cp27-cp27mu-manylinux1_x86_64.whl (Vulnerable Library)

Vulnerability Details

In Pillow before 8.1.0, PcxDecode has a buffer over-read when decoding a crafted PCX file because the user-supplied stride value is trusted for buffer calculations.

Publish Date: 2021-01-12

URL: CVE-2020-35653

CVSS 3 Score Details (7.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35653

Release Date: 2021-01-12

Fix Resolution: 8.1.0

Vulnerable Library - Pillow-6.2.1-cp27-cp27mu-manylinux1_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/1b/08/ff620ef5a6128ee6e7a505f5716f81fce7b71f3a69e99646ebe64e0b9984/Pillow-6.2.1-cp27-cp27mu-manylinux1_x86_64.whl

Path to dependency file: TheSpreadBot/requirements.txt

Path to vulnerable library: TheSpreadBot/requirements.txt

Dependency Hierarchy:

• ❌ Pillow-6.2.1-cp27-cp27mu-manylinux1_x86_64.whl (Vulnerable Library)

Vulnerability Details

In Pillow before 7.1.0, there are two Buffer Overflows in libImaging/TiffDecode.c.

Publish Date: 2020-06-25

URL: CVE-2020-10379

CVSS 3 Score Details (7.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: python-pillow/Pillow@41b554b

Release Date: 2020-06-25

Fix Resolution: 7.1.0