CVE-2019-16865

An issue was discovered in Pillow before 6.2.0. When reading specially crafted invalid image files, the library can either allocate very large amounts of memory or take an extremely long period of time to process the image.

Published: Oct 5, 2019
Updated: Nov 8, 2023
CVE: CVE-2019-16865
GHSA: GHSA-j7mj-748x-7p78
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v2:

Severity: Medium
Score: 5
AV:N/AC:L/Au:N/C:N/I:N/A:P

CWEs:

CWE-770

Affected Software
References

Software	From	Fixed in
python / pillow	-	6.2.0
fedoraproject / fedora	30	30.x
fedoraproject / fedora	31	31.x
Pillow	-	6.2.0

https://access.redhat.com/errata/RHSA-2020:0566
https://access.redhat.com/errata/RHSA-2020:0578
https://access.redhat.com/errata/RHSA-2020:0580
https://access.redhat.com/errata/RHSA-2020:0681
https://access.redhat.com/errata/RHSA-2020:0683
https://access.redhat.com/errata/RHSA-2020:0694
https://github.com/python-pillow/Pillow/issues/4123
https://lists.fedoraproject.org/archives/list/[email protected]/message/EMJBUZQGQ2Q7HXYCQVRLU7OXNC7CAWWU/
https://lists.fedoraproject.org/archives/list/[email protected]/message/LYDXD7EE4YAEVSTNIFZKNVPRVJX5ZOG3/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EMJBUZQGQ2Q7HXYCQVRLU7OXNC7CAWWU/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LYDXD7EE4YAEVSTNIFZKNVPRVJX5ZOG3/
https://pillow.readthedocs.io/en/latest/releasenotes/6.2.0.html
https://usn.ubuntu.com/4272-1/
https://www.debian.org/security/2020/dsa-4631

Vulnerability Database

289,697

CVE-2019-16865