search

pferron / Case133152

0 stars 0 forks source link

pillow-10.2.0-cp39-cp39-manylinux_2_28_x86_64.whl: 1 vulnerabilities (highest severity is: 6.7) - autoclosed #5

Closed mend-for-github-com[bot] closed 4 months ago

mend-for-github-com[bot] commented 4 months ago
Vulnerable Library - pillow-10.2.0-cp39-cp39-manylinux_2_28_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/87/0d/8f5136a5481731c342a901ff155c587ce7804114db069345e1894ab4978a/pillow-10.2.0-cp39-cp39-manylinux_2_28_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Found in HEAD commit: 980c33eab0567755c6395fde59d9ac00f8cd245a

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (pillow version) Remediation Possible**
CVE-2024-28219 Medium 6.7 pillow-10.2.0-cp39-cp39-manylinux_2_28_x86_64.whl Direct pillow - 10.3.0

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2024-28219 ### Vulnerable Library - pillow-10.2.0-cp39-cp39-manylinux_2_28_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/87/0d/8f5136a5481731c342a901ff155c587ce7804114db069345e1894ab4978a/pillow-10.2.0-cp39-cp39-manylinux_2_28_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy: - :x: **pillow-10.2.0-cp39-cp39-manylinux_2_28_x86_64.whl** (Vulnerable Library)

Found in HEAD commit: 980c33eab0567755c6395fde59d9ac00f8cd245a

Found in base branch: main

### Vulnerability Details

In _imagingcms.c in Pillow before 10.3.0, a buffer overflow exists because strcpy is used instead of strncpy.

Publish Date: 2024-04-03

URL: CVE-2024-28219

### CVSS 3 Score Details (6.7)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: High - Privileges Required: Low - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://pillow.readthedocs.io/en/stable/releasenotes/10.3.0.html#security

Release Date: 2024-04-03

Fix Resolution: pillow - 10.3.0

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

:rescue_worker_helmet:Automatic Remediation will be attempted for this issue.

mend-for-github-com[bot] commented 4 months ago

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.