File tree Expand file tree Collapse file tree 2 files changed +142
-0
lines changed
advisories/github-reviewed/2023/10 Expand file tree Collapse file tree 2 files changed +142
-0
lines changed Original file line number Diff line number Diff line change
1
+ {
2
+ "schema_version" : " 1.4.0" ,
3
+ "id" : " GHSA-56pw-mpj4-fxww" ,
4
+ "modified" : " 2023-10-05T00:06:58Z" ,
5
+ "published" : " 2023-10-05T00:06:58Z" ,
6
+ "aliases" : [
7
+
8
+ ],
9
+ "summary" : " Bundled libwebp in Pillow vulnerable" ,
10
+ "details" : " Pillow versions before v10.0.1 bundled libwebp binaries in wheels that are vulnerable to CVE-2023-5129 (previously CVE-2023-4863). Pillow v10.0.1 upgrades the bundled libwebp binary to v1.3.2." ,
11
+ "severity" : [
12
+
13
+ ],
14
+ "affected" : [
15
+ {
16
+ "package" : {
17
+ "ecosystem" : " PyPI" ,
18
+ "name" : " pillow"
19
+ },
20
+ "ecosystem_specific" : {
21
+ "affected_functions" : [
22
+ " "
23
+ ]
24
+ },
25
+ "ranges" : [
26
+ {
27
+ "type" : " ECOSYSTEM" ,
28
+ "events" : [
29
+ {
30
+ "introduced" : " 0"
31
+ },
32
+ {
33
+ "fixed" : " 10.0.1"
34
+ }
35
+ ]
36
+ }
37
+ ]
38
+ }
39
+ ],
40
+ "references" : [
41
+ {
42
+ "type" : " ADVISORY" ,
43
+ "url" : " https://nvd.nist.gov/vuln/detail/CVE-2023-4863"
44
+ },
45
+ {
46
+ "type" : " ADVISORY" ,
47
+ "url" : " https://nvd.nist.gov/vuln/detail/CVE-2023-5129"
48
+ },
49
+ {
50
+ "type" : " WEB" ,
51
+ "url" : " https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2023-175.yaml"
52
+ },
53
+ {
54
+ "type" : " PACKAGE" ,
55
+ "url" : " https://github.com/python-pillow/Pillow"
56
+ },
57
+ {
58
+ "type" : " WEB" ,
59
+ "url" : " https://github.com/python-pillow/Pillow/blob/main/CHANGES.rst#1001-2023-09-15"
60
+ }
61
+ ],
62
+ "database_specific" : {
63
+ "cwe_ids" : [
64
+
65
+ ],
66
+ "severity" : " HIGH" ,
67
+ "github_reviewed" : true ,
68
+ "github_reviewed_at" : " 2023-10-05T00:06:58Z" ,
69
+ "nvd_published_at" : null
70
+ }
71
+ }
Original file line number Diff line number Diff line change
1
+ {
2
+ "schema_version" : " 1.4.0" ,
3
+ "id" : " GHSA-94vc-p8w7-5p49" ,
4
+ "modified" : " 2023-10-05T00:07:46Z" ,
5
+ "published" : " 2023-10-05T00:07:46Z" ,
6
+ "aliases" : [
7
+
8
+ ],
9
+ "summary" : " Bundled libwebp in imagecodecs vulnerable" ,
10
+ "details" : " imagecodecs versions before v2023.9.18 bundled libwebp binaries in wheels that are vulnerable to CVE-2023-5129 (previously CVE-2023-4863). imagecodecs v2023.9.18 upgrades the bundled libwebp binary to v1.3.2." ,
11
+ "severity" : [
12
+
13
+ ],
14
+ "affected" : [
15
+ {
16
+ "package" : {
17
+ "ecosystem" : " PyPI" ,
18
+ "name" : " imagecodecs"
19
+ },
20
+ "ecosystem_specific" : {
21
+ "affected_functions" : [
22
+ " "
23
+ ]
24
+ },
25
+ "ranges" : [
26
+ {
27
+ "type" : " ECOSYSTEM" ,
28
+ "events" : [
29
+ {
30
+ "introduced" : " 0"
31
+ },
32
+ {
33
+ "fixed" : " 2023.9.18"
34
+ }
35
+ ]
36
+ }
37
+ ]
38
+ }
39
+ ],
40
+ "references" : [
41
+ {
42
+ "type" : " ADVISORY" ,
43
+ "url" : " https://nvd.nist.gov/vuln/detail/CVE-2023-4863"
44
+ },
45
+ {
46
+ "type" : " ADVISORY" ,
47
+ "url" : " https://nvd.nist.gov/vuln/detail/CVE-2023-5129"
48
+ },
49
+ {
50
+ "type" : " PACKAGE" ,
51
+ "url" : " https://github.com/cgohlke/imagecodecs"
52
+ },
53
+ {
54
+ "type" : " WEB" ,
55
+ "url" : " https://github.com/cgohlke/imagecodecs/blob/v2023.9.18/CHANGES.rst"
56
+ },
57
+ {
58
+ "type" : " WEB" ,
59
+ "url" : " https://github.com/pypa/advisory-database/tree/main/vulns/imagecodecs/PYSEC-2023-174.yaml"
60
+ }
61
+ ],
62
+ "database_specific" : {
63
+ "cwe_ids" : [
64
+
65
+ ],
66
+ "severity" : " HIGH" ,
67
+ "github_reviewed" : true ,
68
+ "github_reviewed_at" : " 2023-10-05T00:07:46Z" ,
69
+ "nvd_published_at" : null
70
+ }
71
+ }
You can’t perform that action at this time.
0 commit comments