Allocation of Resources Without Limits or Throttling Affecting python-pillow-tk package, versions <0:2.0.0-23.gitd1c6db8.amzn2.0.4
Threat Intelligence
EPSS
1.8% (89th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-AMZN2-PYTHONPILLOWTK-5671984
- published 8 Jun 2023
- disclosed 16 Jan 2015
Introduced: 16 Jan 2015
CVE-2014-9601 Open this link in a new tabHow to fix?
Upgrade Amazon-Linux:2 python-pillow-tk to version 0:2.0.0-23.gitd1c6db8.amzn2.0.4 or higher.
This issue was patched in ALAS2-2023-2083.
NVD Description
Note: Versions mentioned in the description apply only to the upstream python-pillow-tk package and not the python-pillow-tk package as distributed by Amazon-Linux.
See How to fix? for Amazon-Linux:2 relevant fixed versions and status.
Pillow before 2.7.0 allows remote attackers to cause a denial of service via a compressed text chunk in a PNG image that has a large size when it is decompressed.
References
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9601
- https://github.com/python-pillow/Pillow/pull/1060
- https://www.djangoproject.com/weblog/2015/jan/02/pillow-security-release/
- http://pillow.readthedocs.org/releasenotes/2.7.0.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-January/148442.html
- http://lists.opensuse.org/opensuse-updates/2015-04/msg00056.html
- http://www.oracle.com/technetwork/topics/security/bulletinjul2015-2511963.html
- http://www.securityfocus.com/bid/77758
CVSS Scores
version 3.1