{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "In Pillow before 8.1.0, PcxDecode has a buffer over-read when decoding a crafted PCX file because the user-supplied stride value is trusted for buffer calculations."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-07-22T12:06:13", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://pillow.readthedocs.io/en/stable/releasenotes/index.html"}, {"name": "FEDORA-2021-a8ddc1ce70", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6BYVI5G44MRIPERKYDQEL3S3YQCZTVHE/"}, {"name": "FEDORA-2021-880aa7bd27", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BF553AMNNNBW7SH4IM4MNE4M6GNZQ7YD/"}, {"name": "[debian-lts-announce] 20210722 [SECURITY] [DLA 2716-1] pillow security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00018.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2020-35653", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In Pillow before 8.1.0, PcxDecode has a buffer over-read when decoding a crafted PCX file because the user-supplied stride value is trusted for buffer calculations."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://pillow.readthedocs.io/en/stable/releasenotes/index.html", "refsource": "MISC", "url": "https://pillow.readthedocs.io/en/stable/releasenotes/index.html"}, {"name": "FEDORA-2021-a8ddc1ce70", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6BYVI5G44MRIPERKYDQEL3S3YQCZTVHE/"}, {"name": "FEDORA-2021-880aa7bd27", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BF553AMNNNBW7SH4IM4MNE4M6GNZQ7YD/"}, {"name": "[debian-lts-announce] 20210722 [SECURITY] [DLA 2716-1] pillow security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00018.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T17:09:14.596Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://pillow.readthedocs.io/en/stable/releasenotes/index.html"}, {"name": "FEDORA-2021-a8ddc1ce70", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6BYVI5G44MRIPERKYDQEL3S3YQCZTVHE/"}, {"name": "FEDORA-2021-880aa7bd27", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BF553AMNNNBW7SH4IM4MNE4M6GNZQ7YD/"}, {"name": "[debian-lts-announce] 20210722 [SECURITY] [DLA 2716-1] pillow security update", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00018.html"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2020-35653", "datePublished": "2021-01-12T08:02:35", "dateReserved": "2020-12-23T00:00:00", "dateUpdated": "2024-08-04T17:09:14.596Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:python:pillow:*:*:*:*:*:*:*:*", "matchCriteriaId": "DFEF53BA-9372-468F-9B1E-6F9C5FF526A9", "versionEndExcluding": "8.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*", "matchCriteriaId": "36D96259-24BD-44E2-96D9-78CE1D41F956", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*", "matchCriteriaId": "E460AA51-FCDA-46B9-AE97-E6676AA5E194", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In Pillow before 8.1.0, PcxDecode has a buffer over-read when decoding a crafted PCX file because the user-supplied stride value is trusted for buffer calculations."}, {"lang": "es", "value": "En Pillow versiones anteriores a 8.1.0, la funci\u00f3n PcxDecode presenta una lectura excesiva del b\u00fafer cuando se decodifica un archivo PCX dise\u00f1ado porque el valor de paso suministrado por el usuario es confiable para los c\u00e1lculos del b\u00fafer"}], "id": "CVE-2020-35653", "lastModified": "2023-11-07T03:22:01.087", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-01-12T09:15:13.870", "references": [{"source": "cve@mitre.org", "tags": ["Mailing List"], "url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00018.html"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6BYVI5G44MRIPERKYDQEL3S3YQCZTVHE/"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BF553AMNNNBW7SH4IM4MNE4M6GNZQ7YD/"}, {"source": "cve@mitre.org", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://pillow.readthedocs.io/en/stable/releasenotes/index.html"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-125"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2021:4149", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "python-pillow-0:5.1.1-16.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2021-11-09T00:00:00Z"}, {"advisory": "RHSA-2021:3917", "cpe": "cpe:/a:redhat:quay:3::el8", "package": "quay/quay-rhel8:v3.6.0-62", "product_name": "Red Hat Quay 3", "release_date": "2021-10-19T00:00:00Z"}], "bugzilla": {"description": "python-pillow: Buffer over-read in PCX image reader", "id": "1915420", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1915420"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H", "status": "verified"}, "cwe": "CWE-20->CWE-125", "details": ["In Pillow before 8.1.0, PcxDecode has a buffer over-read when decoding a crafted PCX file because the user-supplied stride value is trusted for buffer calculations.", "A flaw was found in python-pillow. The PcxDecode in Pillow has a buffer over-read when decoding a crafted PCX file due to the user-supplied stride value trusted for buffer calculations. The highest threat from this vulnerability is to system availability."], "name": "CVE-2020-35653", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "python-pillow", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "python-pillow", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:quay:3", "fix_state": "Not affected", "package_name": "quay/quay-builder-qemu-rhcos-rhel8", "product_name": "Red Hat Quay 3"}], "public_date": "2021-01-03T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2020-35653\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-35653\nhttps://pillow.readthedocs.io/en/stable/releasenotes/8.1.0.html#security"], "threat_severity": "Low", "upstream_fix": "python-pillow 8.1.0"}