Skip to content

Commit 4319a6a

Browse files
1 parent 1f6f40e commit 4319a6a

File tree

2 files changed

+142
-0
lines changed

2 files changed

+142
-0
lines changed
Lines changed: 71 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,71 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-56pw-mpj4-fxww",
4+
"modified": "2023-10-05T00:06:58Z",
5+
"published": "2023-10-05T00:06:58Z",
6+
"aliases": [
7+
8+
],
9+
"summary": "Bundled libwebp in Pillow vulnerable",
10+
"details": "Pillow versions before v10.0.1 bundled libwebp binaries in wheels that are vulnerable to CVE-2023-5129 (previously CVE-2023-4863). Pillow v10.0.1 upgrades the bundled libwebp binary to v1.3.2.",
11+
"severity": [
12+
13+
],
14+
"affected": [
15+
{
16+
"package": {
17+
"ecosystem": "PyPI",
18+
"name": "pillow"
19+
},
20+
"ecosystem_specific": {
21+
"affected_functions": [
22+
""
23+
]
24+
},
25+
"ranges": [
26+
{
27+
"type": "ECOSYSTEM",
28+
"events": [
29+
{
30+
"introduced": "0"
31+
},
32+
{
33+
"fixed": "10.0.1"
34+
}
35+
]
36+
}
37+
]
38+
}
39+
],
40+
"references": [
41+
{
42+
"type": "ADVISORY",
43+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4863"
44+
},
45+
{
46+
"type": "ADVISORY",
47+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5129"
48+
},
49+
{
50+
"type": "WEB",
51+
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2023-175.yaml"
52+
},
53+
{
54+
"type": "PACKAGE",
55+
"url": "https://github.com/python-pillow/Pillow"
56+
},
57+
{
58+
"type": "WEB",
59+
"url": "https://github.com/python-pillow/Pillow/blob/main/CHANGES.rst#1001-2023-09-15"
60+
}
61+
],
62+
"database_specific": {
63+
"cwe_ids": [
64+
65+
],
66+
"severity": "HIGH",
67+
"github_reviewed": true,
68+
"github_reviewed_at": "2023-10-05T00:06:58Z",
69+
"nvd_published_at": null
70+
}
71+
}
Lines changed: 71 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,71 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-94vc-p8w7-5p49",
4+
"modified": "2023-10-05T00:07:46Z",
5+
"published": "2023-10-05T00:07:46Z",
6+
"aliases": [
7+
8+
],
9+
"summary": "Bundled libwebp in imagecodecs vulnerable",
10+
"details": "imagecodecs versions before v2023.9.18 bundled libwebp binaries in wheels that are vulnerable to CVE-2023-5129 (previously CVE-2023-4863). imagecodecs v2023.9.18 upgrades the bundled libwebp binary to v1.3.2.",
11+
"severity": [
12+
13+
],
14+
"affected": [
15+
{
16+
"package": {
17+
"ecosystem": "PyPI",
18+
"name": "imagecodecs"
19+
},
20+
"ecosystem_specific": {
21+
"affected_functions": [
22+
""
23+
]
24+
},
25+
"ranges": [
26+
{
27+
"type": "ECOSYSTEM",
28+
"events": [
29+
{
30+
"introduced": "0"
31+
},
32+
{
33+
"fixed": "2023.9.18"
34+
}
35+
]
36+
}
37+
]
38+
}
39+
],
40+
"references": [
41+
{
42+
"type": "ADVISORY",
43+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4863"
44+
},
45+
{
46+
"type": "ADVISORY",
47+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5129"
48+
},
49+
{
50+
"type": "PACKAGE",
51+
"url": "https://github.com/cgohlke/imagecodecs"
52+
},
53+
{
54+
"type": "WEB",
55+
"url": "https://github.com/cgohlke/imagecodecs/blob/v2023.9.18/CHANGES.rst"
56+
},
57+
{
58+
"type": "WEB",
59+
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/imagecodecs/PYSEC-2023-174.yaml"
60+
}
61+
],
62+
"database_specific": {
63+
"cwe_ids": [
64+
65+
],
66+
"severity": "HIGH",
67+
"github_reviewed": true,
68+
"github_reviewed_at": "2023-10-05T00:07:46Z",
69+
"nvd_published_at": null
70+
}
71+
}

0 commit comments

Comments
 (0)