{
  "threat_severity" : "Moderate",
  "public_date" : "2021-01-03T00:00:00Z",
  "bugzilla" : {
    "description" : "python-pillow: decoding crafted YCbCr files could result in heap-based buffer overflow",
    "id" : "1915424",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1915424"
  },
  "cvss3" : {
    "cvss3_base_score" : "9.8",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-787",
  "details" : [ "In Pillow before 8.1.0, TiffDecode has a heap-based buffer overflow when decoding crafted YCbCr files because of certain interpretation conflicts with LibTIFF in RGBA mode.", "A flaw was found in python-pillow. TiffDecode has a heap-based buffer overflow when decoding crafted YCbCr files because of certain interpretation conflicts with LibTIFF in RGBA mode. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability." ],
  "statement" : "python-pillow as shipped with Red Hat Enterprise Linux 7 and 8 are not affected by this flaw as the flaw was introduced in a newer version than shipped.",
  "affected_release" : [ {
    "product_name" : "Red Hat Quay 3",
    "release_date" : "2021-10-19T00:00:00Z",
    "advisory" : "RHSA-2021:3917",
    "cpe" : "cpe:/a:redhat:quay:3::el8",
    "package" : "quay/quay-rhel8:v3.6.0-62"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "python-pillow",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "python-pillow",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "python-pillow",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Quay 3",
    "fix_state" : "Not affected",
    "package_name" : "quay/quay-builder-qemu-rhcos-rhel8",
    "cpe" : "cpe:/a:redhat:quay:3"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2020-35654\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-35654\nhttps://pillow.readthedocs.io/en/stable/releasenotes/8.1.0.html#security" ],
  "name" : "CVE-2020-35654",
  "csaw" : false
}