Out-of-Bounds Read Vulnerability in Pillow Image Processing Library
CVE-2021-25287

9.1CRITICAL

Key Information:

Vendor
Python
Status
Pillow
Vendor
CVE Published:
2 June 2021

Summary

Pillow, an essential Python imaging library, has a vulnerability prior to version 8.2.0 characterized by an out-of-bounds read in the J2kDecode function, particularly in the j2ku_graya_la method. This flaw could potentially lead to the exposure of sensitive memory contents, thus posing a risk for data corruption or unexpected behavior in applications utilizing this library. It is critical for developers and system administrators to upgrade to the latest version of Pillow to mitigate these security risks effectively.

References

https://pillow.readthedocs.io/en/stable/releasenotes/8.2....
x_refsource_MISC
https://github.com/python-pillow/Pillow/pull/5377#issueco...
x_refsource_MISC
https://lists.fedoraproject.org/archives/list/package-ann...
vendor-advisoryx_refsource_FEDORA

CVSS V3.1

Score:
9.1
Severity:
CRITICAL
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.