Pillow before 3.3.2 allows context-dependent attackers to execute arbitrary code by using the "crafted image file" approach, related to an "Insecure Sign Extension" issue affecting the ImagingNew in Storage.c component.
Platform | Package | Release Date | Advisory |
---|---|---|---|
Amazon Linux 1 | python-imaging | 2023-07-13 23:57 | ALAS-2023-1787 |
Amazon Linux 2 - Core | python-pillow | 2023-06-05 16:39 | ALAS2-2023-2083 |
Score Type | Score | Vector | |
---|---|---|---|
Amazon Linux | CVSSv3 | 6.6 | CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L |
NVD | CVSSv2 | 6.8 | AV:N/AC:M/Au:N/C:P/I:P/A:P |
NVD | CVSSv3 | 7.8 | CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |