Vulnerability Name:

CVE-2019-16865 (CCN-168592)

Assigned:2019-09-24
Published:2019-09-24
Updated:2020-02-18
Summary:An issue was discovered in Pillow before 6.2.0. When reading specially crafted invalid image files, the library can either allocate very large amounts of memory or take an extremely long period of time to process the image.
CVSS v3 Severity:7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): High
3.3 Low (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)
2.9 Low (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): Required
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Low
7.5 High (REDHAT CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (REDHAT Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): High
CVSS v2 Severity:5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Partial
1.7 Low (CCN CVSS v2 Vector: AV:L/AC:L/Au:S/C:N/I:N/A:P)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Low
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Partial
Vulnerability Type:CWE-770
Vulnerability Consequences:Denial of Service
References:Source: MITRE
Type: CNA
CVE-2019-16865

Source: REDHAT
Type: UNKNOWN
RHSA-2020:0566

Source: REDHAT
Type: UNKNOWN
RHSA-2020:0578

Source: REDHAT
Type: UNKNOWN
RHSA-2020:0580

Source: REDHAT
Type: UNKNOWN
RHSA-2020:0681

Source: REDHAT
Type: UNKNOWN
RHSA-2020:0683

Source: REDHAT
Type: UNKNOWN
RHSA-2020:0694

Source: XF
Type: UNKNOWN
pillow-cve201916865-dos(168592)

Source: FEDORA
Type: Third Party Advisory
FEDORA-2019-19a161d540

Source: FEDORA
Type: Third Party Advisory
FEDORA-2019-e7c83bdf19

Source: CCN
Type: Pillow Web page
Text stroking

Source: MISC
Type: Release Notes, Vendor Advisory
https://pillow.readthedocs.io/en/latest/releasenotes/6.2.0.html

Source: UBUNTU
Type: UNKNOWN
USN-4272-1

Source: DEBIAN
Type: UNKNOWN
DSA-4631

Source: CCN
Type: IBM Security Bulletin 1171066 (PowerAI)
A security vulnerability has been identified in Pillow shipped with PowerAI.

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2019-16865

Vulnerable Configuration:Configuration 1:
  • cpe:/a:python:pillow:*:*:*:*:*:*:*:* (Version < 6.2.0)

    • Configuration 2:
  • cpe:/o:fedoraproject:fedora:30:*:*:*:*:*:*:*
  • OR cpe:/o:fedoraproject:fedora:31:*:*:*:*:*:*:*

    • Configuration RedHat 1:
  • cpe:/o:redhat:enterprise_linux:7:*:*:*:*:*:*:*

    • Configuration RedHat 2:
  • cpe:/o:redhat:enterprise_linux:7::client:*:*:*:*:*

    • Configuration RedHat 3:
  • cpe:/o:redhat:enterprise_linux:7::computenode:*:*:*:*:*

    • Configuration RedHat 4:
  • cpe:/o:redhat:enterprise_linux:7::server:*:*:*:*:*

    • Configuration RedHat 5:
  • cpe:/o:redhat:enterprise_linux:7::workstation:*:*:*:*:*

    • Configuration RedHat 6:
  • cpe:/a:redhat:enterprise_linux:8:*:*:*:*:*:*:*

    • Configuration RedHat 7:
  • cpe:/a:redhat:enterprise_linux:8::appstream:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:python:pillow:6.1.0:*:*:*:*:*:*:*
  • AND
  • cpe:/a:ibm:powerai:1.5.4:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:201916865
    V
    		CVE-2019-16865
    2022-05-22
    oval:org.opensuse.security:def:60393
    P
    		Security update for postgresql10 (Important)
    2021-10-20
    oval:org.opensuse.security:def:59497
    P
    		Security update for webkit2gtk3 (Important)
    2021-06-17
    oval:org.opensuse.security:def:59492
    P
    		Security update for caribou (Important)
    2021-06-10
    oval:org.opensuse.security:def:60277
    P
    		Security update for MozillaFirefox (Important)
    2021-06-08
    oval:org.opensuse.security:def:59745
    P
    		Security update for libX11 (Important)
    2021-06-08
    oval:org.opensuse.security:def:60235
    P
    		Security update for ImageMagick (Moderate)
    2021-04-20
    oval:org.opensuse.security:def:60489
    P
    		Security update for tomcat (Important)
    2021-03-30
    oval:org.opensuse.security:def:59793
    P
    		Security update for openvswitch (Important)
    2021-02-03
    oval:org.opensuse.security:def:59311
    P
    		Security update for libproxy (Important)
    2020-12-01
    oval:org.opensuse.security:def:60698
    P
    		Security update for qemu (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:60653
    P
    		Security update for the Linux Kernel (Important)
    2020-12-01
    oval:org.opensuse.security:def:59334
    P
    		Security update for postgresql, postgresql96, postgresql10 and postgresql12 (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:60726
    P
    		Security update for ansible, ansible1, ardana-ansible, ardana-cluster, ardana-freezer, ardana-input-model, ardana-logging, ardana-mq, ardana-neutron, ardana-octavia, ardana-osconfig, caasp-openstack-heat-templates, crowbar-core, crowbar-openstack, documentation-suse-openstack-cloud, grafana, kibana, openstack-dashboard, openstack-dashboard-theme-HPE, openstack-heat-templates, openstack-keystone, openstack-monasca-agent, openstack-monasca-installer, openstack-neutron, openstack-octavia-amphora-image, python-Django, python-Flask, python-GitPython, python-Pillow, python-amqp, python-apicapi, python-keystoneauth1, python-oslo.messaging, python-psutil, python-pyroute2, python-pysaml2, python-tooz, python-waitress, storm (Important)
    2020-12-01
    oval:org.opensuse.security:def:60834
    P
    		Security update for libzypp (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:59067
    P
    		Security update for the Linux Kernel (Live Patch 29 for SLE 12 SP2) (Important)
    2020-12-01
    oval:org.opensuse.security:def:60963
    P
    		Security update for qemu (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:60046
    P
    		Security update for sqlite3 (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:59245
    P
    		Security update for the Linux Kernel (Live Patch 33 for SLE 12 SP2) (Important)
    2020-12-01
    oval:org.opensuse.security:def:60992
    P
    		Security update for ansible, ansible1, ardana-ansible, ardana-cluster, ardana-freezer, ardana-input-model, ardana-logging, ardana-mq, ardana-neutron, ardana-octavia, ardana-osconfig, caasp-openstack-heat-templates, crowbar-core, crowbar-openstack, documentation-suse-openstack-cloud, grafana, kibana, openstack-dashboard, openstack-dashboard-theme-HPE, openstack-heat-templates, openstack-keystone, openstack-monasca-agent, openstack-monasca-installer, openstack-neutron, openstack-octavia-amphora-image, python-Django, python-Flask, python-GitPython, python-Pillow, python-amqp, python-apicapi, python-keystoneauth1, python-oslo.messaging, python-psutil, python-pyroute2, python-pysaml2, python-tooz, python-waitress, storm (Important)
    2020-12-01
    oval:org.opensuse.security:def:60609
    P
    		Security update for bzip2 (Important)
    2020-12-01
    oval:org.opensuse.security:def:60535
    P
    		rsyslog on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:59678
    P
    		Security update for java-1_8_0-openjdk (Important)
    2020-12-01
    oval:org.opensuse.security:def:59312
    P
    		Security update for freetype2 (Important)
    2020-12-01
    oval:org.opensuse.security:def:60648
    P
    		Security update for MozillaFirefox (Important)
    2020-12-01
    oval:org.opensuse.security:def:60750
    P
    		Security update for xorg-x11-server (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:59978
    P
    		Security update for gdb (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:59066
    P
    		Security update for the Linux Kernel (Live Patch 28 for SLE 12 SP2) (Important)
    2020-12-01
    oval:org.opensuse.security:def:60872
    P
    		Security update for python-Twisted (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:59928
    P
    		Security update for mariadb (Important)
    2020-12-01
    oval:org.opensuse.security:def:59089
    P
    		Security update for spice (Important)
    2020-12-01
    oval:org.opensuse.security:def:60913
    P
    		Security update for libssh2_org (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:60571
    P
    		xf86-video-intel on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:84445
    P
    		Security update for ansible, ansible1, ardana-ansible, ardana-cluster, ardana-freezer, ardana-input-model, ardana-logging, ardana-mq, ardana-neutron, ardana-octavia, ardana-osconfig, caasp-openstack-heat-templates, crowbar-core, crowbar-openstack, documentation-suse-openstack-cloud, grafana, kibana, openstack-dashboard, openstack-dashboard-theme-HPE, openstack-heat-templates, openstack-keystone, openstack-monasca-agent, openstack-monasca-installer, openstack-neutron, openstack-octavia-amphora-image, python-Django, python-Flask, python-GitPython, python-Pillow, python-amqp, python-apicapi, python-keystoneauth1, python-oslo.messaging, python-psutil, python-pyroute2, python-pysaml2, python-tooz, python-waitress, storm (Important)
    2020-07-14
    oval:org.opensuse.security:def:83992
    P
    		Security update for ansible, ansible1, ardana-ansible, ardana-cluster, ardana-freezer, ardana-input-model, ardana-logging, ardana-mq, ardana-neutron, ardana-octavia, ardana-osconfig, caasp-openstack-heat-templates, crowbar-core, crowbar-openstack, documentation-suse-openstack-cloud, grafana, kibana, openstack-dashboard, openstack-dashboard-theme-HPE, openstack-heat-templates, openstack-keystone, openstack-monasca-agent, openstack-monasca-installer, openstack-neutron, openstack-octavia-amphora-image, python-Django, python-Flask, python-GitPython, python-Pillow, python-amqp, python-apicapi, python-keystoneauth1, python-oslo.messaging, python-psutil, python-pyroute2, python-pysaml2, python-tooz, python-waitress, storm (Important)
    2020-07-14
    oval:com.redhat.rhsa:def:20200580
    P
    		RHSA-2020:0580: python-pillow security update (Important)
    2020-02-24
    oval:com.redhat.rhsa:def:20200578
    P
    		RHSA-2020:0578: python-pillow security update (Important)
    2020-02-24
    oval:com.ubuntu.disco:def:2019168650000000
    V
    		CVE-2019-16865 on Ubuntu 19.04 (disco) - low.
    2019-10-04
    oval:com.ubuntu.bionic:def:2019168650000000
    V
    		CVE-2019-16865 on Ubuntu 18.04 LTS (bionic) - low.
    2019-10-04
    oval:com.ubuntu.xenial:def:2019168650000000
    V
    		CVE-2019-16865 on Ubuntu 16.04 LTS (xenial) - low.
    2019-10-04
    BACK
    python pillow *
    fedoraproject fedora 30
    fedoraproject fedora 31
    python pillow 6.1.0
    ibm powerai 1.5.4