Denial of Service Vulnerability in Pillow by Python Imaging Library
CVE-2021-27922

7.5HIGH

Key Information:

Vendor
Python
Status
Pillow
Vendor
CVE Published:
3 March 2021

Summary

The Pillow library, a popular Python Imaging Library, contains a vulnerability that allows attackers to trigger a denial of service (DoS) condition by exploiting improper size validation of images contained within ICNS files. When an attacker submits an image with an excessively large reported size, the library may attempt to allocate an immense amount of memory, leading to potential server downtime and degraded performance. This vulnerability emphasizes the importance of ensuring robust size validation checks to prevent resource exhaustion and maintain the stability of applications relying on image processing.

References

https://pillow.readthedocs.io/en/stable/releasenotes/8.1....
x_refsource_MISC
https://lists.fedoraproject.org/archives/list/package-ann...
vendor-advisoryx_refsource_FEDORA
https://lists.fedoraproject.org/archives/list/package-ann...
vendor-advisoryx_refsource_FEDORA

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.