{"id":"CVE-2020-35655","details":"In Pillow before 8.1.0, SGIRleDecode has a 4-byte buffer over-read when decoding crafted SGI RLE image files because offsets and length tables are mishandled.","aliases":["BIT-pillow-2020-35655","GHSA-hf64-x4gq-p99h","PYSEC-2021-71"],"modified":"2026-03-17T22:51:30.845529Z","published":"2021-01-12T09:15:13.967Z","related":["ALSA-2021:4149","SUSE-SU-2021:1938-1","openSUSE-SU-2021:1134-1","openSUSE-SU-2024:11209-1","openSUSE-SU-2024:13827-1"],"references":[{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6BYVI5G44MRIPERKYDQEL3S3YQCZTVHE/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BF553AMNNNBW7SH4IM4MNE4M6GNZQ7YD/"},{"type":"ADVISORY","url":"https://pillow.readthedocs.io/en/stable/releasenotes/index.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/python-pillow/pillow","events":[{"introduced":"636dc62f0e8f9b233f1f2b287292b45325df135d"},{"fixed":"fcc42e0d344146ee9d265d1f43c094ce5a0ec4cf"}],"database_specific":{"versions":[{"introduced":"4.3.0"},{"fixed":"8.1.0"}]}}],"versions":["4.3.0","5.0.0","5.1.0","5.2.0","5.3.0","5.4.0","6.0.0","6.1.0","6.2.0","7.0.0","7.1.0","7.2.0","8.0.0"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-35655.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"32"}]},{"events":[{"introduced":"0"},{"last_affected":"33"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L"}]}