CVE-2016-3076

moderate-risk

Published 2017-04-24

Heap-based buffer overflow in the j2k_encode_entry function in Pillow 2.5.0 through 3.1.1 allows remote attackers to cause a denial of service (memory corruption) via a crafted Jpeg2000 file.

Do I need to act?

0.46% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 5.5/10 Medium

LOCAL / LOW complexity

Affected Products (19)

Pillow

Affected Vendors

Python

References (6)

Release Notes http://pillow.readthedocs.io/en/4.1.x/releasenotes/3.1.2.html

http://www.securityfocus.com/bid/98042

Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=1321929

Release Notes http://pillow.readthedocs.io/en/4.1.x/releasenotes/3.1.2.html

http://www.securityfocus.com/bid/98042

Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=1321929

/ 100

moderate-risk

Severity 18/34 · Moderate

Exploitability 2/34 · Minimal

Exposure 19/34 · Moderate