CVE-2024-28219 :: Enginsight Vulnerability Database

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	6.7 MEDIUM	LOCAL	HIGH	LOW	CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
mitre	CNA	6.7 MEDIUM	LOCAL	HIGH	LOW	CVSS:3.1/AC:H/AV:L/A:H/C:H/I:H/PR:L/S:U/UI:R
CVE	ADP	---				---
CISA-ADP	ADP	---				---

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: 27%

Debian Releases

Debian Product

Codename

pillow

bullseye (security)	8.1.2+dfsg-0.3+deb11u2 fixed
bullseye	8.1.2+dfsg-0.3+deb11u2 fixed
bookworm	9.4.0-1.1+deb12u1 fixed
bookworm (security)	9.4.0-1.1+deb12u1 fixed
sid	11.1.0-5 fixed
trixie	11.1.0-5 fixed

Ubuntu Releases

Ubuntu Product

Codename

pillow

plucky	not-affected
oracular	not-affected
noble	Fixed 10.2.0-1ubuntu1 released
mantic	Fixed 10.0.0-1ubuntu0.2 released
jammy	Fixed 9.0.1-1ubuntu0.3 released
focal	Fixed 7.0.0-4ubuntu0.9 released
bionic	Fixed 5.1.0-1ubuntu0.8+esm1 released
xenial	Fixed 3.1.2-0ubuntu1.6+esm2 released
trusty	Fixed 2.3.0-1ubuntu3.4+esm4 released

pillow-python2

plucky	dne
oracular	dne
noble	dne
mantic	dne
jammy	dne
focal	Fixed 6.2.1-3ubuntu0.1~esm2 released

Common Weakness Enumeration

CWE-680 - Integer Overflow to Buffer Overflow
The product performs a calculation to determine how much memory to allocate, but an integer overflow can occur that causes less memory to be allocated than expected, leading to a buffer overflow.

References

https://lists.debian.org/debian-lts-announce/2024/04/msg00008.html

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4XLPUT3VK4GQ6EVY525TT2QNUIXNRU5M/

https://pillow.readthedocs.io/en/stable/releasenotes/10.3.0.html#security

https://lists.debian.org/debian-lts-announce/2024/04/msg00008.html

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4XLPUT3VK4GQ6EVY525TT2QNUIXNRU5M/

https://pillow.readthedocs.io/en/stable/releasenotes/10.3.0.html#security