CVE-2014-9601

Published: Jan 16, 2015Modified: May 6, 2026

5.0

Vector

AV:N/AC:L/Au:N/C:N/I:N/A:P

Exploitability: 10.0 / Impact: 2.9

Source: NVD

Description

Pillow before 2.7.0 allows remote attackers to cause a denial of service via a compressed text chunk in a PNG image that has a large size when it is decompressed.

Affected (4)

Products: Python: Pillow · Oracle: Solaris · Fedoraproject: Fedora · +1 more

Show all products

Python: Pillow · Oracle: Solaris · Fedoraproject: Fedora · Opensuse: Opensuse

1 product

1 product

1 product

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Python Pillow	Up to 2.6.2

Configuration B

1 vulnerable

Vulnerable Software	Affected Versions
Oracle Solaris	Version 11.2

Configuration C

2 vulnerable

Vulnerable Software	Affected Versions
Fedoraproject Fedora	Version 21
Opensuse Opensuse	Version 13.2

Related CWEs

CWE-20

Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

References (14)

http://lists.fedoraproject.org/pipermail/package-announce/2015-January/148442.html

Source: cve@mitre.org

Third Party Advisory

http://lists.opensuse.org/opensuse-updates/2015-04/msg00056.html

Source: cve@mitre.org

Third Party Advisory

http://pillow.readthedocs.org/releasenotes/2.7.0.html

Source: cve@mitre.org

Vendor Advisory

http://www.oracle.com/technetwork/topics/security/bulletinjul2015-2511963.html

Source: cve@mitre.org

Third Party Advisory

http://www.securityfocus.com/bid/77758

Source: cve@mitre.org

https://github.com/python-pillow/Pillow/pull/1060

Source: cve@mitre.org

Vendor Advisory

https://www.djangoproject.com/weblog/2015/jan/02/pillow-security-release/

Source: cve@mitre.org

Third Party Advisory

http://lists.fedoraproject.org/pipermail/package-announce/2015-January/148442.html