Skip to main content

Pillow CVE-2020-10994

MEDIUM
Out-of-bounds Read (CWE-125)
2020-06-25 cve@mitre.org
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

1
CVE Published
Jun 25, 2020 - 19:15 nvd
MEDIUM 5.5

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 19 pypi packages depend on pillow (13 direct, 6 indirect)

Ecosystem-wide dependent count for version 7.1.0.

DescriptionNVD

In libImaging/Jpeg2KDecode.c in Pillow before 7.1.0, there are multiple out-of-bounds reads via a crafted JP2 file.

AnalysisAI

In libImaging/Jpeg2KDecode.c in Pillow before 7.1.0, there are multiple out-of-bounds reads via a crafted JP2 file. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity.

Technical ContextAI

This vulnerability is classified as Out-of-bounds Read (CWE-125), which allows attackers to read data from memory outside the intended buffer boundaries. In libImaging/Jpeg2KDecode.c in Pillow before 7.1.0, there are multiple out-of-bounds reads via a crafted JP2 file. Affected products include: Python Pillow, Fedoraproject Fedora, Canonical Ubuntu Linux. Version information: before 7.1.0.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Validate array indices and buffer lengths. Use memory-safe languages. Enable AddressSanitizer during testing.

More in Pillow

View all
CVE-2022-30595 CRITICAL POC
9.8 May 25

libImaging/TgaRleDecode.c in Pillow 9.1.0 has a heap buffer overflow in the processing of invalid TGA image files. Rated

CVE-2021-23437 HIGH POC
7.5 Sep 03

The package pillow 5.2.0 and before 8.3.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the getrgb

CVE-2025-48379 HIGH POC
7.1 Jul 01

Pillow is a Python imaging library. In versions 11.2.0 to before 11.3.0, there is a heap buffer overflow when writing a

CVE-2016-4009 CRITICAL
9.8 Apr 13

Integer overflow in the ImagingResampleHorizontal function in libImaging/Resample.c in Pillow before 3.1.1 allows remote

CVE-2014-3007 CRITICAL
10.0 Apr 27

Python Image Library (PIL) 1.1.7 and earlier and Pillow 2.3 might allow remote attackers to execute arbitrary commands v

CVE-2021-34552 CRITICAL
9.8 Jul 13

Pillow through 8.2.0 and PIL (aka Python Imaging Library) through 1.1.7 allow an attacker to pass controlled parameters

CVE-2021-25289 CRITICAL
9.8 Mar 19

An issue was discovered in Pillow before 8.1.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely explo

CVE-2020-5312 CRITICAL
9.8 Jan 03

libImaging/PcxDecode.c in Pillow before 6.2.2 has a PCX P mode buffer overflow. Rated critical severity (CVSS 9.8), this

CVE-2020-5311 CRITICAL
9.8 Jan 03

libImaging/SgiRleDecode.c in Pillow before 6.2.2 has an SGI buffer overflow. Rated critical severity (CVSS 9.8), this vu

CVE-2022-24303 CRITICAL
9.1 Mar 28

Pillow before 9.0.1 allows attackers to delete files because spaces in temporary pathnames are mishandled. Rated critica

CVE-2021-25288 CRITICAL
9.1 Jun 02

An issue was discovered in Pillow before 8.2.0. Rated critical severity (CVSS 9.1), this vulnerability is remotely explo

CVE-2021-25287 CRITICAL
9.1 Jun 02

An issue was discovered in Pillow before 8.2.0. Rated critical severity (CVSS 9.1), this vulnerability is remotely explo

Share

CVE-2020-10994 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy