Skip to main content

Pillow CVE-2020-5313

HIGH
Out-of-bounds Read (CWE-125)
2020-01-03 cve@mitre.org
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
High

Lifecycle Timeline

1
CVE Published
Jan 03, 2020 - 01:15 nvd
HIGH 7.1

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 144 pypi packages depend on pillow (115 direct, 30 indirect)

Ecosystem-wide dependent count for version 6.2.2.

DescriptionNVD

libImaging/FliDecode.c in Pillow before 6.2.2 has an FLI buffer overflow.

AnalysisAI

libImaging/FliDecode.c in Pillow before 6.2.2 has an FLI buffer overflow. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Out-of-bounds Read vulnerability could allow attackers to read data from memory outside the intended buffer boundaries.

Technical ContextAI

This vulnerability is classified as Out-of-bounds Read (CWE-125), which allows attackers to read data from memory outside the intended buffer boundaries. libImaging/FliDecode.c in Pillow before 6.2.2 has an FLI buffer overflow. Affected products include: Python Pillow, Canonical Ubuntu Linux, Debian Debian Linux, Fedoraproject Fedora. Version information: before 6.2.2.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Validate array indices and buffer lengths. Use memory-safe languages. Enable AddressSanitizer during testing.

More in Pillow

View all
CVE-2022-30595 CRITICAL POC
9.8 May 25

libImaging/TgaRleDecode.c in Pillow 9.1.0 has a heap buffer overflow in the processing of invalid TGA image files. Rated

CVE-2021-23437 HIGH POC
7.5 Sep 03

The package pillow 5.2.0 and before 8.3.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the getrgb

CVE-2025-48379 HIGH POC
7.1 Jul 01

Pillow is a Python imaging library. In versions 11.2.0 to before 11.3.0, there is a heap buffer overflow when writing a

CVE-2016-4009 CRITICAL
9.8 Apr 13

Integer overflow in the ImagingResampleHorizontal function in libImaging/Resample.c in Pillow before 3.1.1 allows remote

CVE-2014-3007 CRITICAL
10.0 Apr 27

Python Image Library (PIL) 1.1.7 and earlier and Pillow 2.3 might allow remote attackers to execute arbitrary commands v

CVE-2021-34552 CRITICAL
9.8 Jul 13

Pillow through 8.2.0 and PIL (aka Python Imaging Library) through 1.1.7 allow an attacker to pass controlled parameters

CVE-2021-25289 CRITICAL
9.8 Mar 19

An issue was discovered in Pillow before 8.1.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely explo

CVE-2020-5312 CRITICAL
9.8 Jan 03

libImaging/PcxDecode.c in Pillow before 6.2.2 has a PCX P mode buffer overflow. Rated critical severity (CVSS 9.8), this

CVE-2020-5311 CRITICAL
9.8 Jan 03

libImaging/SgiRleDecode.c in Pillow before 6.2.2 has an SGI buffer overflow. Rated critical severity (CVSS 9.8), this vu

CVE-2022-24303 CRITICAL
9.1 Mar 28

Pillow before 9.0.1 allows attackers to delete files because spaces in temporary pathnames are mishandled. Rated critica

CVE-2021-25288 CRITICAL
9.1 Jun 02

An issue was discovered in Pillow before 8.2.0. Rated critical severity (CVSS 9.1), this vulnerability is remotely explo

CVE-2021-25287 CRITICAL
9.1 Jun 02

An issue was discovered in Pillow before 8.2.0. Rated critical severity (CVSS 9.1), this vulnerability is remotely explo

Share

CVE-2020-5313 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy