Denial of Service Vulnerability in Pillow by Python Imaging Library
CVE-2021-28675

5.5MEDIUM

Key Information:

Vendor
Python
Status
Pillow
Vendor
CVE Published:
2 June 2021

Summary

A vulnerability was identified in the Pillow library prior to version 8.2.0, specifically within the PSDImagePlugin.PsdImageFile component. The lack of a sanity check on the number of input layers compared to the size of the data block could potentially result in a Denial of Service (DoS) when processing images using the Image.open method before loading with Image.load. This flaw emphasizes the need for caution and updated practices in image processing to mitigate risks associated with malicious image files.

References

https://pillow.readthedocs.io/en/stable/releasenotes/8.2....
x_refsource_MISC
https://lists.fedoraproject.org/archives/list/package-ann...
vendor-advisoryx_refsource_FEDORA
https://security.gentoo.org/glsa/202107-33
vendor-advisoryx_refsource_GENTOO

CVSS V3.1

Score:
5.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.