Pillow buffer overflow vulnerability · CVE-2024-28219 · GitHub Advisory Database · GitHub

Pillow buffer overflow vulnerability

Moderate severity GitHub Reviewed Published Apr 3, 2024 to the GitHub Advisory Database • Updated Apr 20, 2024

Package

pillow (pip)

Affected versions

< 10.3.0

Patched versions

10.3.0

Description

In _imagingcms.c in Pillow before 10.3.0, a buffer overflow exists because strcpy is used instead of strncpy.

References

Published by the National Vulnerability Database

Apr 3, 2024

Published to the GitHub Advisory Database Apr 3, 2024

Reviewed Apr 3, 2024

Last updated Apr 20, 2024

Severity

Moderate

6.7

/ 10

CVSS base metrics

Attack vector

Local

Attack complexity

High

Privileges required

Low

User interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H