Miggo Logo
Miggo Vulnerability Database
CVE-2020-5312

CVE-2020-5312:
PCX P mode buffer overflow in Pillow

9.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2020-5312
GHSA ID
GHSA-p49h-hjvm-jg3h
EPSS Score
0.74359%
CWE
CWE-120
Published
11/3/2021
Updated
10/8/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
Pillowpip< 6.2.26.2.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The GitHub commit diff explicitly shows the vulnerability was addressed by adding an 'else if' clause checking 'P' mode buffer boundaries in ImagingPcxDecode. The CVE description specifically mentions improper size validation in this file, and the patch adds critical xsize vs. bytes comparison for P mode that was previously missing. The added test case pcx_overrun2.bin specifically exercises this code path.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

li*Im**in*/P*x***o**.* in Pillow ***or* *.*.* **s * P*X P mo** *u***r ov*r*low.

Reasoning

T** *it*u* *ommit *i** *xpli*itly s*ows t** vuln*r**ility w*s ***r*ss** *y ***in* *n '*ls* i*' *l*us* ****kin* 'P' mo** *u***r *oun**ri*s in `Im**in*P*x***o**`. T** *V* **s*ription sp**i*i**lly m*ntions improp*r siz* `v*li**tion` in t*is *il*, *n* t*