[17.0][SEC] CVSS 8.8 SBOM Dep. pillow 9.0.1 & 9.4.0 vulnerabilities

Question

[17.0][SEC] CVSS 8.8 SBOM Dep. pillow 9.0.1 & 9.4.0 vulnerabilities

wilsonmar opened this issue 25 days ago · comments

After obtaining dependency SBOM from odoo v17.0 at 6f6763b
Run of
osv-scanner scan -S odoo_odoo_6f6763b6728335b0728645806d77a0cb7453ffc7.json
reported vulnerabilities identified at:

╭─────────────────────────────────────┬──────┬──────────────┬────────
│ OSV URL                             │ CVSS │ PACKAGE      │ VERSION
├─────────────────────────────────────┼──────┼──────────────┼────────
│ https://osv.dev/GHSA-3f63-hfp8-52jq │ 8.1  │ pillow       │ 9.0.1  
│ https://osv.dev/GHSA-44wm-f244-xhp3 │ 6.7  │ pillow       │ 9.0.1  
│ https://osv.dev/GHSA-56pw-mpj4-fxww │      │ pillow       │ 9.0.1  
│ https://osv.dev/GHSA-8ghj-p4vj-mr35 │ 7.5  │ pillow       │ 9.0.1  
│ https://osv.dev/PYSEC-2023-227      │      │              │       
│ https://osv.dev/GHSA-j7hp-h8jx-5ppr │ 8.8  │ pillow       │ 9.0.1  
│ https://osv.dev/GHSA-m2vv-5vj5-2hm7 │ 7.5  │ pillow       │ 9.0.1  
│ https://osv.dev/PYSEC-2022-42979    │      │              │       
│ https://osv.dev/PYSEC-2023-175      │      │ pillow       │ 9.0.1  
│ https://osv.dev/GHSA-3f63-hfp8-52jq │ 8.1  │ pillow       │ 9.4.0  
│ https://osv.dev/GHSA-44wm-f244-xhp3 │ 6.7  │ pillow       │ 9.4.0  
│ https://osv.dev/GHSA-56pw-mpj4-fxww │      │ pillow       │ 9.4.0  
│ https://osv.dev/GHSA-8ghj-p4vj-mr35 │ 7.5  │ pillow       │ 9.4.0  
│ https://osv.dev/PYSEC-2023-227      │      │              │       
│ https://osv.dev/GHSA-j7hp-h8jx-5ppr │ 8.8  │ pillow       │ 9.4.0  
│ https://osv.dev/PYSEC-2023-175      │      │ pillow       │ 9.4.0

Martin Trigaux · Answer 1 · Mon May 13 2024 18:16:36 GMT+0800 (China Standard Time)

Same as #165042 (comment), need proof it is applicable and not the proper report channel.