CVE-2016-9190

Pillow before 3.3.2 allows context-dependent attackers to execute arbitrary code by using the "crafted image file" approach, related to an "Insecure Sign Extension" issue affecting the ImagingNew in Storage.c component.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.8 HIGH
LOCAL
LOW
NONE
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 74%
VendorProductVersion
pythonpillow
𝑥
≤ 3.3.1
debiandebian_linux
8.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
pillow
bullseye (security)
8.1.2+dfsg-0.3+deb11u2
fixed
bullseye
8.1.2+dfsg-0.3+deb11u2
fixed
bookworm
9.4.0-1.1+deb12u1
fixed
bookworm (security)
9.4.0-1.1+deb12u1
fixed
sid
10.4.0-1
fixed
trixie
10.4.0-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
pillow
yakkety
Fixed 3.3.1-1ubuntu0.1
released
xenial
Fixed 3.1.2-0ubuntu1.1
released
trusty
Fixed 2.3.0-1ubuntu3.4
released
precise
dne
python-imaging
yakkety
dne
xenial
dne
trusty
dne
precise
Fixed 1.1.7-4ubuntu0.12.04.3
released
Common Weakness Enumeration
References
http://pillow.readthedocs.io/en/3.4.x/releasenotes/3.3.2.html
http://www.debian.org/security/2016/dsa-3710
http://www.securityfocus.com/bid/94234
https://github.com/python-pillow/Pillow/issues/2105
https://github.com/python-pillow/Pillow/pull/2146/commits/5d8a0be45aad78c5a22c8d099118ee26ef8144af
https://security.gentoo.org/glsa/201612-52
http://pillow.readthedocs.io/en/3.4.x/releasenotes/3.3.2.html
http://www.debian.org/security/2016/dsa-3710
http://www.securityfocus.com/bid/94234
https://github.com/python-pillow/Pillow/issues/2105
https://github.com/python-pillow/Pillow/pull/2146/commits/5d8a0be45aad78c5a22c8d099118ee26ef8144af
https://security.gentoo.org/glsa/201612-52