Vulnerability CVE-2014-3589


Published: 2014-08-25

Description:
PIL/IcnsImagePlugin.py in Python Imaging Library (PIL) and Pillow before 2.3.2 and 2.5.x before 2.5.2 allows remote attackers to cause a denial of service via a crafted block size.

Type:

CWE-20

(Improper Input Validation)

Vendor: Python
Product: Pillow 
Version:
2.5.2
2.5.1
2.5.0
2.3.1
2.3.0
Vendor: Opensuse
Product: Opensuse 
Version: 13.2;
Vendor: Novell
Product: Opensuse 
Version: 13.2;
Vendor: Debian
Product: Python-imaging 

CVSS2 => (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
5/10
2.9/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
None
None
Partial

 References:
http://lists.opensuse.org/opensuse-updates/2015-04/msg00056.html
http://secunia.com/advisories/59825
http://www.debian.org/security/2014/dsa-3009
https://github.com/python-pillow/Pillow/commit/205e056f8f9b06ed7b925cf8aa0874bc4aaf8a7d
https://pypi.python.org/pypi/Pillow/2.3.2
https://pypi.python.org/pypi/Pillow/2.5.2

Related CVE
CVE-2012-4385
letodms 3.3.6 has CSRF via change password
CVE-2012-4384
letodms has multiple XSS issues: Reflected XSS in Login Page, Stored XSS in Document Owner/User name, Stored XSS in Calendar
CVE-2011-0544
phpbb 3.0.x-3.0.6 has an XSS vulnerability via the [flash] BB tag.
CVE-2010-4533
offlineimap before 6.3.4 added support for SSL server certificate validation but it is still possible to use SSL v2 protocol, which is a flawed protocol with multiple security deficiencies.
CVE-2010-4532
offlineimap before 6.3.2 does not check for SSL server certificate validation when "ssl = yes" option is specified which can allow man-in-the-middle attacks.
CVE-2010-3844
An unchecked sscanf() call in ettercap 0.7.3 allows an insecure temporary settings file to overflow a static-sized buffer on the stack.
CVE-2010-3440
babiloo 2.0.9 before 2.0.11 creates temporary files with predictable names when downloading and unpacking dictionary files, allowing a local attacker to overwrite arbitrary files.
CVE-2010-3439
It is possible to cause a DoS condition by causing the server to crash in alien-arena 7.33 by supplying various invalid parameters to the download command.

Copyright 2019, cxsecurity.com

 

Back to Top