pillow-10.2.0-cp310-cp310-manylinux_2_28_x86_64.whl: 1 vulnerabilities (highest severity is: 6.7) [main] (unreachable)

[renovate]

📂 Vulnerable Library - pillow-10.2.0-cp310-cp310-manylinux_2_28_x86_64.whl

Python Imaging Library (Fork)

Path to dependency file: /requirements.txt

Path to vulnerable library: /tmp/ws-ua_20260528231800_QJPNCP/python_YUBJHY/202605282318011/env/lib/python3.10/site-packages/pillow-10.2.0.dist-info

Findings

Finding	Severity	🎯 CVSS	Exploit Maturity	EPSS	Library	Type	Fixed in	Remediation Available	Reachability
CVE-2024-28219	🟠 Medium	6.7	Not Defined	< 1%	pillow-10.2.0-cp310-cp310-manylinux_2_28_x86_64.whl	Direct	N/A	❌	Unreachable

Details

🟠CVE-2024-28219

Vulnerable Library - pillow-10.2.0-cp310-cp310-manylinux_2_28_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/cb/c3/98faa3e92cf866b9446c4842f1fe847e672b2f54e000cb984157b8095797/pillow-10.2.0-cp310-cp310-manylinux_2_28_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /tmp/ws-ua_20260528231800_QJPNCP/python_YUBJHY/202605282318011/env/lib/python3.10/site-packages/pillow-10.2.0.dist-info

Dependency Hierarchy:

• sentence-transformers-2.2.2.tar.gz (Root Library)

  • torchvision-0.27.0-cp310-cp310-manylinux_2_28_x86_64.whl
    • ❌ pillow-10.2.0-cp310-cp310-manylinux_2_28_x86_64.whl (Vulnerable Library)

• ❌ pillow-10.2.0-cp310-cp310-manylinux_2_28_x86_64.whl (Vulnerable Library)

---

Reachability Analysis

The vulnerable code is unreachable

---

Vulnerability Details

In _imagingcms.c in Pillow before 10.3.0, a buffer overflow exists because strcpy is used instead of strncpy.

Publish Date: Apr 03, 2024 12:00 AM

URL: CVE-2024-28219

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 6.7

---

Suggested Fix

Type: Upgrade version

Origin:

Release Date:

Fix Resolution :