CVE-2020-5311

high-risk
Published 2020-01-03

libImaging/SgiRleDecode.c in Pillow before 6.2.2 has an SGI buffer overflow.

Do I need to act?

~
1.3% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
+
Fix available
Upgrade to: a45c8583ff90312a2fddc38567ed736cef4af563, a79b65c47c7dc6fe623aadf09aa6192fc54548f3
9
CVSS 9.8/10 Critical
NETWORK / LOW complexity

Affected Products (7)

Affected Vendors

Debian Python Canonical Fedoraproject

References (16)

Third Party Advisory https://access.redhat.com/errata/RHSA-2020:0566
Third Party Advisory https://access.redhat.com/errata/RHSA-2020:0580
Patch https://github.com/python-pillow/Pillow/commit/a79b65c47c7dc6fe623aadf09aa6192fc...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...
Release Notes https://pillow.readthedocs.io/en/stable/releasenotes/6.2.2.html
Third Party Advisory https://usn.ubuntu.com/4272-1/
Third Party Advisory https://www.debian.org/security/2020/dsa-4631
Third Party Advisory https://access.redhat.com/errata/RHSA-2020:0566
Third Party Advisory https://access.redhat.com/errata/RHSA-2020:0580
Patch https://github.com/python-pillow/Pillow/commit/a79b65c47c7dc6fe623aadf09aa6192fc...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...
Release Notes https://pillow.readthedocs.io/en/stable/releasenotes/6.2.2.html
Third Party Advisory https://usn.ubuntu.com/4272-1/
Third Party Advisory https://www.debian.org/security/2020/dsa-4631
50
/ 100
high-risk
Severity 32/34 · Critical
Exploitability 4/34 · Minimal
Exposure 14/34 · Moderate