Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWhqZngtOHA2Yy1nN2d4
Insufficient Verification of Data Authenticity in Pillow
An issue was discovered in Pillow before 8.2.0. For BLP data, BlpImagePlugin did not properly check that reads (after jumping to file offsets) returned data. This could lead to a DoS where the decoder could be run a large number of times on empty data.
Permalink: https://github.com/advisories/GHSA-hjfx-8p6c-g7gxJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWhqZngtOHA2Yy1nN2d4
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 3 years ago
Updated: 8 days ago
CVSS Score: 5.5
CVSS vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Identifiers: GHSA-hjfx-8p6c-g7gx, CVE-2021-28678
References:
- https://nvd.nist.gov/vuln/detail/CVE-2021-28678
- https://github.com/python-pillow/Pillow/pull/5377
- https://github.com/python-pillow/Pillow/pull/5377/commits/496245aa4365d0827390bd0b6fbd11287453b3a1
- https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28678-fix-blp-dos
- https://security.gentoo.org/glsa/202107-33
- https://github.com/advisories/GHSA-hjfx-8p6c-g7gx
- https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2021-94.yaml
- https://lists.fedoraproject.org/archives/list/[email protected]/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL
Blast Radius: 27.2
Affected Packages
pypi:Pillow
Dependent packages: 4,378Dependent repositories: 88,899
Downloads: 125,768,317 last month
Affected Version Ranges: >= 5.1.0, < 8.2.0
Fixed in: 8.2.0
All affected versions: 5.1.0, 5.2.0, 5.3.0, 5.4.0, 5.4.1, 6.0.0, 6.1.0, 6.2.0, 6.2.1, 6.2.2, 7.0.0, 7.1.0, 7.1.1, 7.1.2, 7.2.0, 8.0.0, 8.0.1, 8.1.0, 8.1.1, 8.1.2
All unaffected versions: 1.7.0, 1.7.1, 1.7.2, 1.7.3, 1.7.4, 1.7.5, 1.7.6, 1.7.7, 1.7.8, 2.0.0, 2.1.0, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.3.2, 2.4.0, 2.5.0, 2.5.1, 2.5.2, 2.5.3, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.8.0, 2.8.1, 2.8.2, 2.9.0, 3.0.0, 3.1.0, 3.1.1, 3.1.2, 3.2.0, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.4.0, 3.4.1, 3.4.2, 4.0.0, 4.1.0, 4.1.1, 4.2.0, 4.2.1, 4.3.0, 5.0.0, 8.2.0, 8.3.0, 8.3.1, 8.3.2, 8.4.0, 9.0.0, 9.0.1, 9.1.0, 9.1.1, 9.2.0, 9.3.0, 9.4.0, 9.5.0, 10.0.0, 10.0.1, 10.1.0, 10.2.0, 10.3.0, 10.4.0, 11.0.0