search

dandavison / temporal-animations

A toolkit for creating animations explaining Temporal
https://go.temporal.io/temporal-animations/
4 stars 0 forks source link

Pillow-9.5.0-cp311-cp311-manylinux_2_28_x86_64.whl: 1 vulnerabilities (highest severity is: 7.5) #1

Open mend-for-github-com[bot] opened 10 months ago

mend-for-github-com[bot] commented 10 months ago
Vulnerable Library - Pillow-9.5.0-cp311-cp311-manylinux_2_28_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/3d/59/e6bd2c3715ace343d9739276ceed79657fe116923238d102cf731ab463dd/Pillow-9.5.0-cp311-cp311-manylinux_2_28_x86_64.whl

Found in HEAD commit: 4553526100f8011351ce57019aa1f8b44568d382

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (Pillow version) Remediation Possible**
CVE-2023-44271 High 7.5 Pillow-9.5.0-cp311-cp311-manylinux_2_28_x86_64.whl Direct Pillow - 10.0.0

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2023-44271 ### Vulnerable Library - Pillow-9.5.0-cp311-cp311-manylinux_2_28_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/3d/59/e6bd2c3715ace343d9739276ceed79657fe116923238d102cf731ab463dd/Pillow-9.5.0-cp311-cp311-manylinux_2_28_x86_64.whl

Dependency Hierarchy: - :x: **Pillow-9.5.0-cp311-cp311-manylinux_2_28_x86_64.whl** (Vulnerable Library)

Found in HEAD commit: 4553526100f8011351ce57019aa1f8b44568d382

Found in base branch: main

### Vulnerability Details

An issue was discovered in Pillow before 10.0.0. It is a Denial of Service that uncontrollably allocates memory to process a given task, potentially causing a service to crash by having it run out of memory. This occurs for truetype in ImageFont when textlength in an ImageDraw instance operates on a long text argument.

Publish Date: 2023-11-03

URL: CVE-2023-44271

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2023-11-03

Fix Resolution: Pillow - 10.0.0

dandavison commented 9 months ago

This is a manim dependency. It will be fixed at next manim release: https://github.com/ManimCommunity/manim/blob/main/pyproject.toml#L44