Denial of Service Vulnerability in Pillow PDF Parser by Pillow
CVE-2021-25292

6.5MEDIUM

Key Information:

Vendor: Python
Status: Pillow
Vendor: CVE Published:; 19 March 2021

What is CVE-2021-25292?

A vulnerability has been identified in Pillow's PDF parser prior to version 8.1.1, which is susceptible to a ReDoS attack. An attacker can exploit this vulnerability by crafting a malicious PDF file that, when processed, triggers catastrophic backtracking in the regular expression engine. This can lead to a significant slowdown or complete denial of service for applications relying on Pillow for PDF parsing, complicating user access and system functionality. Users are advised to update to the latest version to mitigate this risk.

References

https://pillow.readthedocs.io/en/stable/releasenotes/8.1....

x_refsource_MISC

https://security.gentoo.org/glsa/202107-33

vendor-advisoryx_refsource_GENTOO

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 19, 2021
Vulnerability Reserved
Jan 17, 2021

Python

What is CVE-2021-25292?

References

CVSS V3.1

Timeline