davidspek / kubeflownotebooks

Notebook Server Images for Kubeflow
9 stars 6 forks source link

CVE-2023-44271 (High) detected in Pillow-9.4.0-cp37-cp37m-manylinux_2_28_x86_64.whl #799

Open mend-bolt-for-github[bot] opened 6 months ago

mend-bolt-for-github[bot] commented 6 months ago

CVE-2023-44271 - High Severity Vulnerability

Vulnerable Library - Pillow-9.4.0-cp37-cp37m-manylinux_2_28_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/36/31/9fae23878d894adae29aced659d41a78325669dd23018b26ab355828e870/Pillow-9.4.0-cp37-cp37m-manylinux_2_28_x86_64.whl

Path to dependency file: /jupyter-tensorflow-full/requirements.txt

Path to vulnerable library: /jupyter-tensorflow-full/requirements.txt,/jupyter-tensorflow-full/requirements.txt,/jupyter-pytorch/cpu-requirements.txt,/jupyter-pytorch-full/requirements.txt,/jupyter-scipy/requirements.txt,/jupyter-pytorch-full/requirements.txt,/jupyter-scipy/requirements.txt

Dependency Hierarchy: - :x: **Pillow-9.4.0-cp37-cp37m-manylinux_2_28_x86_64.whl** (Vulnerable Library)

Found in HEAD commit: 513157c5d3f5743d53e228da1ec8289e92c92836

Found in base branch: master

Vulnerability Details

An issue was discovered in Pillow before 10.0.0. It is a Denial of Service that uncontrollably allocates memory to process a given task, potentially causing a service to crash by having it run out of memory. This occurs for truetype in ImageFont when textlength in an ImageDraw instance operates on a long text argument.

Publish Date: 2023-11-03

URL: CVE-2023-44271

CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2023-11-03

Fix Resolution: Pillow - 10.0.0


Step up your Open Source Security Game with Mend here