Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTk1cTMtOGdyOS1nbTh3

High CVSS: 8.7 EPSS: 0.0079% (0.73044 Percentile) EPSS:
Permalink JSON

Pillow Denial of Service by Uncontrolled Resource Consumption

Affected Packages Affected Versions Fixed Versions
pypi:pillow
PURL: pkg:pypi/pillow
< 8.1.2 8.1.2
4,378 Dependent packages
88,899 Dependent repositories
222,775,566 Downloads last month

Affected Version Ranges

All affected versions

1.7.0, 1.7.1, 1.7.2, 1.7.3, 1.7.4, 1.7.5, 1.7.6, 1.7.7, 1.7.8, 2.0.0, 2.1.0, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.3.2, 2.4.0, 2.5.0, 2.5.1, 2.5.2, 2.5.3, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.8.0, 2.8.1, 2.8.2, 2.9.0, 3.0.0, 3.1.0, 3.1.0rc1, 3.1.1, 3.1.2, 3.2.0, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.4.0, 3.4.1, 3.4.2, 4.0.0, 4.1.0, 4.1.1, 4.2.0, 4.2.1, 4.3.0, 5.0.0, 5.1.0, 5.2.0, 5.3.0, 5.4.0, 5.4.1, 6.0.0, 6.1.0, 6.2.0, 6.2.1, 6.2.2, 7.0.0, 7.1.0, 7.1.1, 7.1.2, 7.2.0, 8.0.0, 8.0.1, 8.1.0, 8.1.1

All unaffected versions

8.1.2, 8.2.0, 8.3.0, 8.3.1, 8.3.2, 8.4.0, 9.0.0, 9.0.1, 9.1.0, 9.1.1, 9.2.0, 9.3.0, 9.4.0, 9.5.0, 10.0.0, 10.0.1, 10.1.0, 10.2.0, 10.3.0, 10.4.0, 11.0.0, 11.1.0, 11.2.0, 11.2.1, 11.3.0, 12.0.0

Pillow before 8.1.2 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICO container, and thus an attempted memory allocation can be very large.

References:

Identifiers

GHSA-95q3-8gr9-gm8w

CVE-2021-27923

Risk

Severity

High

CVSS

CVSS Score: 8.7

CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS

EPSS Percentage: 0.0079

EPSS Percentile: 0.73044

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/python-pillow/Pillow

Date and time

Published

over 4 years ago

Updated

3 months ago

API

JSON