Out-of-Bounds Read in Pillow by Python Software Foundation
CVE-2021-25288

9.1CRITICAL

Key Information:

Vendor

Python

Status
Pillow
Vendor
CVE Published:
2 June 2021

What is CVE-2021-25288?

A vulnerability has been identified in Pillow versions prior to 8.2.0, where an out-of-bounds read occurs within the J2kDecode function, specifically in j2ku_gray_i. This flaw may lead to unintended data exposure or an application crash, making it critical for users to update to the latest version to mitigate potential impacts. The issue has been addressed in the 8.2.0 release, which enhances the library's robustness against such vulnerabilities.

References

https://pillow.readthedocs.io/en/stable/releasenotes/8.2....
x_refsource_MISC
https://github.com/python-pillow/Pillow/pull/5377#issueco...
x_refsource_MISC
https://lists.fedoraproject.org/archives/list/package-ann...
vendor-advisoryx_refsource_FEDORA

CVSS V3.1

Score:
9.1
Severity:
CRITICAL
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.