Denial of Service Vulnerability in Pillow by Python
CVE-2021-28678

5.5MEDIUM

Key Information:

Vendor: Python
Status: Pillow
Vendor: CVE Published:; 2 June 2021

🔔 Create Python Vulnerability Alert

What is CVE-2021-28678?

A vulnerability was identified in Pillow prior to version 8.2.0, where the BlpImagePlugin failed to adequately validate that data reads from specified file offsets returned valid content. This oversight could enable an attacker to exploit the decoder by executing it repeatedly on empty data, potentially resulting in a service disruption.

References

https://pillow.readthedocs.io/en/stable/releasenotes/8.2....

x_refsource_MISC

https://github.com/python-pillow/Pillow/pull/5377

x_refsource_MISC

https://lists.fedoraproject.org/archives/list/package-ann...

vendor-advisoryx_refsource_FEDORA

CVSS V3.1

Score:

5.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 2, 2021
Vulnerability Reserved
Mar 18, 2021

.

CVE-2021-28678 : Denial of Service Vulnerability in Pillow by Python