CVE-2020-11538
First published: Thu Jun 25 2020(Updated: )
An out-of-bounds read/write flaw was found in python-pillow, in the way SGI RLE images are decoded. An application that uses python-pillow to decode untrusted images may be vulnerable. This flaw allows an attacker to crash the application or potentially execute code on the system. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/python-pillow | <0:5.1.1-12.el8_2 | 0:5.1.1-12.el8_2 |
| redhat/python-pillow | <0:5.1.1-11.el8_0 | 0:5.1.1-11.el8_0 |
| redhat/python-pillow | <0:5.1.1-11.el8_1 | 0:5.1.1-11.el8_1 |
| redhat/python-pillow | <7.1.0 | 7.1.0 |
| debian/pillow | 8.1.2+dfsg-0.3+deb11u2 9.4.0-1.1+deb12u1 10.4.0-1 | |
| pip/Pillow | <7.1.0 | 7.1.0 |
| Python Pillow | <=7.0.0 | |
| Fedoraproject Fedora | =31 | |
| Fedoraproject Fedora | =32 | |
| Ubuntu Linux | =16.04 | |
| Ubuntu Linux | =18.04 | |
| Ubuntu Linux | =20.04 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2020-11538 https://nvd.nist.gov/vuln/detail/CVE-2020-11538
- https://bugzilla.redhat.com/show_bug.cgi?id=1852814
- https://access.redhat.com/errata/RHSA-2020:3185
- https://access.redhat.com/errata/RHSA-2020:3302
- https://access.redhat.com/errata/RHSA-2020:3299
- https://access.redhat.com/errata/RHSA-2021:0420
- https://access.redhat.com/security/cve/cve-2020-11538
- https://github.com/python-pillow/Pillow/pull/4504
- https://github.com/python-pillow/Pillow/pull/4538
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BEBCPE4F2VHTIT6EZA2YZQZLPVDEBJGD/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HOKHNWV2VS5GESY7IBD237E7C6T3I427/
- https://pillow.readthedocs.io/en/stable/releasenotes/7.1.0.html
- https://pillow.readthedocs.io/en/stable/releasenotes/index.html
- https://usn.ubuntu.com/4430-1/
- https://usn.ubuntu.com/4430-2/
- https://launchpad.net/bugs/cve/CVE-2020-11538
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BEBCPE4F2VHTIT6EZA2YZQZLPVDEBJGD/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HOKHNWV2VS5GESY7IBD237E7C6T3I427/
- https://access.redhat.com/security/cve/CVE-2020-5311
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1852815
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1852816
- https://github.com/python-pillow/Pillow/commit/2ef59fdbaeb756bc512ab3f2ad15ac45665b303d
- https://access.redhat.com/security/cve/CVE-2020-10379
- https://security-tracker.debian.org/tracker/CVE-2020-11538
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11538
- https://nvd.nist.gov/vuln/detail/CVE-2020-11538
- https://ubuntu.com/security/CVE-2020-11538
- https://github.com/python-pillow/Pillow/blob/master/docs/releasenotes/7.1.0.rst#security
- https://snyk.io/vuln/SNYK-PYTHON-PILLOW-574574
- https://github.com/advisories/GHSA-43fq-w8qq-v88h (Advisory)
- https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2020-80.yaml
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BEBCPE4F2VHTIT6EZA2YZQZLPVDEBJGD
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HOKHNWV2VS5GESY7IBD237E7C6T3I427
- https://usn.ubuntu.com/4430-1
- https://usn.ubuntu.com/4430-2
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is CVE-2020-11538?
CVE-2020-11538 is a vulnerability found in python-pillow, which allows an attacker to crash the application or execute code on the system.
What is the severity of CVE-2020-11538?
CVE-2020-11538 has a severity rating of 8.1, which is considered high.
How does CVE-2020-11538 affect python-pillow?
CVE-2020-11538 affects python-pillow by introducing an out-of-bounds read/write flaw during decoding of SGI RLE images.
How can I fix CVE-2020-11538?
To fix CVE-2020-11538, update python-pillow to version 7.1.0 or later.
Where can I find more information about CVE-2020-11538?
You can find more information about CVE-2020-11538 on the MITRE CVE website, the GitHub page for python-pillow, and the release notes for python-pillow version 7.1.0.
- collector/redhat-cve
- agent/type
- collector/launchpad-cve
- source/Launchpad
- agent/remedy
- agent/author
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2020-11538
- agent/software-canonical-lookup
- agent/weakness
- agent/severity
- collector/security-tracker-debian
- source/Debian
- collector/mitre-cve
- source/MITRE
- collector/usn-cve
- source/Ubuntu
- agent/first-publish-date
- agent/description
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-43fq-w8qq-v88h
- agent/last-modified-date
- agent/references
- agent/softwarecombine
- agent/event
- collector/github-advisory
- agent/trending
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/nvd-cve
- source/NVD
- package-manager/redhat
- package-manager/debian
- package-manager/pip
- vendor/python
- canonical/python pillow
- version/python pillow/7.0.0
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/31
- version/fedoraproject fedora/32
- vendor/canonical
- canonical/ubuntu linux
- version/ubuntu linux/16.04
- version/ubuntu linux/18.04
- version/ubuntu linux/20.04