Regular Expression Denial of Service (ReDoS)
CVE-2021-23437

7.5HIGH

Key Information:

Vendor: Python
Status: Pillow
Vendor: CVE Published:; 3 September 2021

Summary

The package pillow 5.2.0 and before 8.3.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the getrgb function.

Affected Version(s)

Pillow 0

Pillow < 8.3.2

References

https://snyk.io/vuln/SNYK-PYTHON-PILLOW-1319443

https://pillow.readthedocs.io/en/stable/releasenotes/8.3....

https://github.com/python-pillow/Pillow/commit/9e08eb8f78...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Sep 3, 2021
Vulnerability Reserved
Jan 8, 2021

Credit

Liyuan Chen

.