CVE-2021-28678Insufficient Verification of Data Authenticity in Pillow

CWE-345Insufficient Verification of Data AuthenticityCWE-20Improper Input Validation8 documents7 sources
Severity
5.5MEDIUMNVD
EPSS
0.1%
top 70.60%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Python PillowFedoraproject Fedora
Timeline
PublishedJun 2
Latest updateJun 8

Description

An issue was discovered in Pillow before 8.2.0. For BLP data, BlpImagePlugin did not properly check that reads (after jumping to file offsets) returned data. This could lead to a DoS where the decoder could be run a large number of times on empty data.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:HExploitability: 1.8 | Impact: 3.6

Affected Packages3 packages

NVDpython/pillow< 8.2.0
PyPIpython/pillow5.1.08.2.0
Debianpython/pillow< 8.1.2+dfsg-0.2+3

Also affects: Fedora 33

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

4
GHSA
Insufficient Verification of Data Authenticity in Pillow2021-06-08
OSV
Insufficient Verification of Data Authenticity in Pillow2021-06-08
CVEList
CVE-2021-28678: An issue was discovered in Pillow before 82021-06-02
OSV
CVE-2021-28678: An issue was discovered in Pillow before 82021-06-02

📋Vendor Advisories

3
Ubuntu
Pillow vulnerabilities2021-05-19
Red Hat
python-pillow: Excessive looping in BLP image reader2021-04-01
Debian
CVE-2021-28678: pillow - An issue was discovered in Pillow before 8.2.0. For BLP data, BlpImagePlugin did...2021
CVE-2021-28678 — Python Pillow vulnerability | cvebase