Denial of Service Vulnerability in Pillow by Python
CVE-2021-28676

7.5HIGH

Key Information:

Vendor: Python
Status: Pillow
Vendor: CVE Published:; 2 June 2021

What is CVE-2021-28676?

A vulnerability has been identified in the Pillow library prior to version 8.2.0, where the FliDecode function inadequately checks whether the block advance is zero. This oversight can potentially result in an infinite loop when loading FLI data, impacting application stability. It is recommended for users of Pillow to upgrade to the latest version to mitigate this risk.

References

https://pillow.readthedocs.io/en/stable/releasenotes/8.2....

https://github.com/python-pillow/Pillow/pull/5377

https://lists.fedoraproject.org/archives/list/package-ann...

vendor-advisory

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 2, 2021
Vulnerability Reserved
Mar 18, 2021