CVE-2024-28219
Medium
Low
Medium
High
Critical
6.7
CVSS Score
Vulnerability Description
In _imagingcms.c in Pillow before 10.3.0, a buffer overflow exists because strcpy is used instead of strncpy.
CVSS Metrics
Common Vulnerability Scoring System
Vector String:
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
Attack Vector
L
Attack Complexity
H
Privileges Required
L
User Interaction
R
Scope
U
Confidentiality
H
Integrity
H
Availability
H
Known Affected Software
85 configuration(s) from 2 vendor(s)
debian_linux
Version:
10.0
CPE:
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
pillow
Version:
1.0
CPE:
cpe:2.3:a:python:pillow:1.0:*:*:*:*:*:*:*
pillow
Version:
2.8.2
CPE:
cpe:2.3:a:python:pillow:2.8.2:*:*:*:*:*:*:*
pillow
Version:
7.2.0
CPE:
cpe:2.3:a:python:pillow:7.2.0:*:*:*:*:*:*:*
pillow
Version:
1.7.3
CPE:
cpe:2.3:a:python:pillow:1.7.3:*:*:*:*:*:*:*
pillow
Version:
1.7.0
CPE:
cpe:2.3:a:python:pillow:1.7.0:*:*:*:*:*:*:*
pillow
Version:
1.2
CPE:
cpe:2.3:a:python:pillow:1.2:*:*:*:*:*:*:*
pillow
Version:
2.9.0
CPE:
cpe:2.3:a:python:pillow:2.9.0:*:*:*:*:*:*:*
pillow
Version:
3.3.2
CPE:
cpe:2.3:a:python:pillow:3.3.2:*:*:*:*:*:*:*
pillow
Version:
6.0.0
CPE:
cpe:2.3:a:python:pillow:6.0.0:*:*:*:*:*:*:*
pillow
Version:
9.5.0
CPE:
cpe:2.3:a:python:pillow:9.5.0:*:*:*:*:*:*:*
pillow
Version:
8.3.1
CPE:
cpe:2.3:a:python:pillow:8.3.1:*:*:*:*:*:*:*
pillow
Version:
9.0.1
CPE:
cpe:2.3:a:python:pillow:9.0.1:*:*:*:*:*:*:*
pillow
Version:
8.1.1
CPE:
cpe:2.3:a:python:pillow:8.1.1:*:*:*:*:*:*:*
pillow
Version:
3.4.0
CPE:
cpe:2.3:a:python:pillow:3.4.0:*:*:*:*:*:*:*
pillow
Version:
10.0.1
CPE:
cpe:2.3:a:python:pillow:10.0.1:*:*:*:*:*:*:*
pillow
Version:
1.7.8
CPE:
cpe:2.3:a:python:pillow:1.7.8:*:*:*:*:*:*:*
pillow
Version:
7.1.0
CPE:
cpe:2.3:a:python:pillow:7.1.0:*:*:*:*:*:*:*
pillow
Version:
5.4.0
CPE:
cpe:2.3:a:python:pillow:5.4.0:*:*:*:*:*:*:*
pillow
Version:
5.1.0
CPE:
cpe:2.3:a:python:pillow:5.1.0:*:*:*:*:*:*:*
pillow
Version:
2.8.1
CPE:
cpe:2.3:a:python:pillow:2.8.1:*:*:*:*:*:*:*
pillow
Version:
1.6
CPE:
cpe:2.3:a:python:pillow:1.6:*:*:*:*:*:*:*
pillow
Version:
5.4.1
CPE:
cpe:2.3:a:python:pillow:5.4.1:*:*:*:*:*:*:*
pillow
Version:
1.7.2
CPE:
cpe:2.3:a:python:pillow:1.7.2:*:*:*:*:*:*:*
pillow
Version:
1.7.1
CPE:
cpe:2.3:a:python:pillow:1.7.1:*:*:*:*:*:*:*
pillow
Version:
4.3.0
CPE:
cpe:2.3:a:python:pillow:4.3.0:*:*:*:*:*:*:*
pillow
Version:
5.0.0
CPE:
cpe:2.3:a:python:pillow:5.0.0:*:*:*:*:*:*:*
pillow
Version:
1.4
CPE:
cpe:2.3:a:python:pillow:1.4:*:*:*:*:*:*:*
pillow
Version:
2.8.0
CPE:
cpe:2.3:a:python:pillow:2.8.0:*:*:*:*:*:*:*
pillow
Version:
6.2.2
CPE:
cpe:2.3:a:python:pillow:6.2.2:*:*:*:*:*:*:*
pillow
Version:
8.2.0
CPE:
cpe:2.3:a:python:pillow:8.2.0:*:*:*:*:*:*:*
pillow
Version:
2.6.2
CPE:
cpe:2.3:a:python:pillow:2.6.2:*:*:*:*:*:*:*
pillow
Version:
4.2.0
CPE:
cpe:2.3:a:python:pillow:4.2.0:*:*:*:*:*:*:*
pillow
Version:
1.7.6
CPE:
cpe:2.3:a:python:pillow:1.7.6:*:*:*:*:*:*:*
pillow
Version:
2.5.2
CPE:
cpe:2.3:a:python:pillow:2.5.2:*:*:*:*:*:*:*
pillow
Version:
8.3.2
CPE:
cpe:2.3:a:python:pillow:8.3.2:*:*:*:*:*:*:*
pillow
Version:
2.6.0
CPE:
cpe:2.3:a:python:pillow:2.6.0:*:*:*:*:*:*:*
pillow
Version:
1.3
CPE:
cpe:2.3:a:python:pillow:1.3:*:*:*:*:*:*:*
pillow
Version:
1.5
CPE:
cpe:2.3:a:python:pillow:1.5:*:*:*:*:*:*:*
pillow
Version:
6.2.0
CPE:
cpe:2.3:a:python:pillow:6.2.0:*:*:*:*:*:*:*
pillow
Version:
2.5.1
CPE:
cpe:2.3:a:python:pillow:2.5.1:*:*:*:*:*:*:*
pillow
Version:
7.1.1
CPE:
cpe:2.3:a:python:pillow:7.1.1:*:*:*:*:*:*:*
pillow
Version:
2.3.0
CPE:
cpe:2.3:a:python:pillow:2.3.0:*:*:*:*:*:*:*
pillow
Version:
6.2.3
CPE:
cpe:2.3:a:python:pillow:6.2.3:*:*:*:*:*:*:*
pillow
Version:
10.1.0
CPE:
cpe:2.3:a:python:pillow:10.1.0:*:*:*:*:*:*:*
pillow
Version:
2.2.1
CPE:
cpe:2.3:a:python:pillow:2.2.1:*:*:*:*:*:*:*
pillow
Version:
3.3.1
CPE:
cpe:2.3:a:python:pillow:3.3.1:*:*:*:*:*:*:*
pillow
Version:
8.0.0
CPE:
cpe:2.3:a:python:pillow:8.0.0:*:*:*:*:*:*:*
pillow
Version:
2.7.0
CPE:
cpe:2.3:a:python:pillow:2.7.0:*:*:*:*:*:*:*
pillow
Version:
4.0.0
CPE:
cpe:2.3:a:python:pillow:4.0.0:*:*:*:*:*:*:*
pillow
Version:
3.0.0
CPE:
cpe:2.3:a:python:pillow:3.0.0:*:*:*:*:*:*:*
pillow
Version:
7.0.0
CPE:
cpe:2.3:a:python:pillow:7.0.0:*:*:*:*:*:*:*
pillow
Version:
2.1.0
CPE:
cpe:2.3:a:python:pillow:2.1.0:*:*:*:*:*:*:*
pillow
Version:
4.1.0
CPE:
cpe:2.3:a:python:pillow:4.1.0:*:*:*:*:*:*:*
pillow
Version:
10.0.0
CPE:
cpe:2.3:a:python:pillow:10.0.0:*:*:*:*:*:*:*
pillow
Version:
8.1.0
CPE:
cpe:2.3:a:python:pillow:8.1.0:*:*:*:*:*:*:*
pillow
Version:
1.7.4
CPE:
cpe:2.3:a:python:pillow:1.7.4:*:*:*:*:*:*:*
pillow
Version:
2.4.0
CPE:
cpe:2.3:a:python:pillow:2.4.0:*:*:*:*:*:*:*
pillow
Version:
2.5.3
CPE:
cpe:2.3:a:python:pillow:2.5.3:*:*:*:*:*:*:*
pillow
Version:
2.5.0
CPE:
cpe:2.3:a:python:pillow:2.5.0:*:*:*:*:*:*:*
pillow
Version:
9.2.0
CPE:
cpe:2.3:a:python:pillow:9.2.0:*:*:*:*:*:*:*
pillow
Version:
5.3.0
CPE:
cpe:2.3:a:python:pillow:5.3.0:*:*:*:*:*:*:*
pillow
Version:
2.6.1
CPE:
cpe:2.3:a:python:pillow:2.6.1:*:*:*:*:*:*:*
pillow
Version:
8.0.1
CPE:
cpe:2.3:a:python:pillow:8.0.1:*:*:*:*:*:*:*
pillow
Version:
8.3.0
CPE:
cpe:2.3:a:python:pillow:8.3.0:*:*:*:*:*:*:*
pillow
Version:
9.1.0
CPE:
cpe:2.3:a:python:pillow:9.1.0:*:*:*:*:*:*:*
pillow
Version:
8.4.0
CPE:
cpe:2.3:a:python:pillow:8.4.0:*:*:*:*:*:*:*
pillow
Version:
1.7.7
CPE:
cpe:2.3:a:python:pillow:1.7.7:*:*:*:*:*:*:*
pillow
Version:
2.0.0
CPE:
cpe:2.3:a:python:pillow:2.0.0:*:*:*:*:*:*:*
pillow
Version:
10.2.0
CPE:
cpe:2.3:a:python:pillow:10.2.0:*:*:*:*:*:*:*
pillow
Version:
7.1.2
CPE:
cpe:2.3:a:python:pillow:7.1.2:*:*:*:*:*:*:*
pillow
Version:
9.0.0
CPE:
cpe:2.3:a:python:pillow:9.0.0:*:*:*:*:*:*:*
pillow
Version:
9.4.0
CPE:
cpe:2.3:a:python:pillow:9.4.0:*:*:*:*:*:*:*
pillow
Version:
4.1.1
CPE:
cpe:2.3:a:python:pillow:4.1.1:*:*:*:*:*:*:*
pillow
Version:
4.2.1
CPE:
cpe:2.3:a:python:pillow:4.2.1:*:*:*:*:*:*:*
pillow
Version:
2.2.0
CPE:
cpe:2.3:a:python:pillow:2.2.0:*:*:*:*:*:*:*
pillow
Version:
3.1.0
CPE:
cpe:2.3:a:python:pillow:3.1.0:*:*:*:*:*:*:*
pillow
Version:
9.3.0
CPE:
cpe:2.3:a:python:pillow:9.3.0:*:*:*:*:*:*:*
pillow
Version:
1.7.5
CPE:
cpe:2.3:a:python:pillow:1.7.5:*:*:*:*:*:*:*
pillow
Version:
8.1.2
CPE:
cpe:2.3:a:python:pillow:8.1.2:*:*:*:*:*:*:*
pillow
Version:
5.2.0
CPE:
cpe:2.3:a:python:pillow:5.2.0:*:*:*:*:*:*:*
pillow
Version:
1.1
CPE:
cpe:2.3:a:python:pillow:1.1:*:*:*:*:*:*:*
pillow
Version:
2.2.2
CPE:
cpe:2.3:a:python:pillow:2.2.2:*:*:*:*:*:*:*
pillow
Version:
2.3.1
CPE:
cpe:2.3:a:python:pillow:2.3.1:*:*:*:*:*:*:*
pillow
Version:
9.1.1
CPE:
cpe:2.3:a:python:pillow:9.1.1:*:*:*:*:*:*:*
This vulnerability affects 85 software configuration(s). Ensure you patch all affected systems.
Oracle
CPUAPR2025
Oracle Critical Patch Update Advisory - April 2025
Severity
Critical
Released
Apr 15, 2025
Restart Required
Security Update
Oracle
CPUJAN2025
Oracle Critical Patch Update Advisory - January 2025
Severity
Critical
Released
Jan 21, 2025
Restart Required
Security Update
References & Resources
-
https://lists.debian.org/debian-lts-announce/2024/04/msg00008.htmlcve@mitre.org Mailing List Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4XLPUT3VK4GQ6EVY525TT2QNUIXNRU5M/cve@mitre.org Broken Link
-
https://pillow.readthedocs.io/en/stable/releasenotes/10.3.0.html#securitycve@mitre.org Release Notes
-
https://lists.debian.org/debian-lts-announce/2024/04/msg00008.htmlaf854a3a-2127-422b-91ae-364da2661108 Mailing List Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4XLPUT3VK4GQ6EVY525TT2QNUIXNRU5M/af854a3a-2127-422b-91ae-364da2661108 Broken Link
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4XLPUT3VK4GQ6EVY525TT2QNUIXNRU5M/af854a3a-2127-422b-91ae-364da2661108
-
https://pillow.readthedocs.io/en/stable/releasenotes/10.3.0.html#securityaf854a3a-2127-422b-91ae-364da2661108 Release Notes
Severity Details
6.7
out of 10.0
Medium
Weakness Type (CWE)
CWE-680
Integer Overflow to Buffer Overflow
- Description
- The product performs a calculation to determine how much memory to allocate, but an integer overflow can occur that causes less memory to be allocated than expected, leading to a buffer overflow.
- Typical Severity
- High
- Abstraction Level
- Compound
Key Information
- Published Date
- April 03, 2024
