Vulnerability Details : CVE-2016-9189
Pillow before 3.3.2 allows context-dependent attackers to obtain sensitive information by using the "crafted image file" approach, related to an "Integer Overflow" issue affecting the Image.core.map_buffer in map.c component.
Vulnerability category: Overflow
Products affected by CVE-2016-9189
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:a:python:pillow:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2016-9189
0.10%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 43 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2016-9189
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:N/A:N |
8.6
|
2.9
|
NIST | |
5.5
|
MEDIUM | CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N |
1.8
|
3.6
|
NIST |
CWE ids for CVE-2016-9189
-
The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number.Assigned by: nvd@nist.gov (Primary)
References for CVE-2016-9189
-
https://github.com/python-pillow/Pillow/pull/2146/commits/c50ebe6459a131a1ea8ca531f10da616d3ceaa0f
Fixes for #2105 by wiredfool · Pull Request #2146 · python-pillow/Pillow · GitHubIssue Tracking;Patch;Third Party Advisory
-
https://github.com/python-pillow/Pillow/issues/2105
Multiple memory corruption vulnerabilities · Issue #2105 · python-pillow/Pillow · GitHubIssue Tracking;Patch;Third Party Advisory
-
http://www.debian.org/security/2016/dsa-3710
Debian -- Security Information -- DSA-3710-1 pillowThird Party Advisory
-
http://www.securityfocus.com/bid/94234
Python Pillow Multiple Security VulnerabilitiesThird Party Advisory;VDB Entry
-
https://security.gentoo.org/glsa/201612-52
Pillow: Multiple vulnerabilities (GLSA 201612-52) — Gentoo security
-
http://pillow.readthedocs.io/en/3.4.x/releasenotes/3.3.2.html
Maze Found | Read the DocsVendor Advisory
Jump to