CVE Vulnerabilities

CVE-2021-28678

Insufficient Verification of Data Authenticity

Published: Jun 02, 2021 | Modified: Nov 21, 2024
CVSS 3.x
5.5
MEDIUM
Source:
NVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
CVSS 2.x
4.3 MEDIUM
AV:N/AC:M/Au:N/C:N/I:N/A:P
RedHat/V2
RedHat/V3
7.5 MODERATE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Ubuntu
LOW

An issue was discovered in Pillow before 8.2.0. For BLP data, BlpImagePlugin did not properly check that reads (after jumping to file offsets) returned data. This could lead to a DoS where the decoder could be run a large number of times on empty data.

Weakness

The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.

Affected Software

Name Vendor Start Version End Version
Pillow Python * 8.2.0 (excluding)
Red Hat Enterprise Linux 8 RedHat python-pillow-0:5.1.1-16.el8 *
Pillow Ubuntu bionic *
Pillow Ubuntu devel *
Pillow Ubuntu focal *
Pillow Ubuntu groovy *
Pillow Ubuntu hirsute *
Pillow Ubuntu impish *
Pillow Ubuntu jammy *
Pillow Ubuntu kinetic *
Pillow Ubuntu lunar *
Pillow Ubuntu mantic *
Pillow Ubuntu noble *
Pillow Ubuntu oracular *
Pillow Ubuntu trusty *
Pillow Ubuntu trusty/esm *
Pillow Ubuntu upstream *
Pillow Ubuntu xenial *
Pillow-python2 Ubuntu groovy *
Python-imaging Ubuntu precise/esm *

References