CVE-2021-28678

Опубликовано: 02 июн. 2021

Источник: nvd

CVSS3: 5.5

CVSS2: 4.3

EPSS Низкий

Описание

An issue was discovered in Pillow before 8.2.0. For BLP data, BlpImagePlugin did not properly check that reads (after jumping to file offsets) returned data. This could lead to a DoS where the decoder could be run a large number of times on empty data.

Ссылки

https://github.com/python-pillow/Pillow/pull/5377
Patch
Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL/
https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28678-fix-blp-dos
Release Notes
Vendor Advisory
https://security.gentoo.org/glsa/202107-33
Third Party Advisory
https://github.com/python-pillow/Pillow/pull/5377
Patch
Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL/
https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28678-fix-blp-dos
Release Notes
Vendor Advisory
https://security.gentoo.org/glsa/202107-33
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:python:pillow:*:*:*:*:*:*:*:*

Версия до 8.2.0 (исключая)

Конфигурация 2

cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*

EPSS

Процентиль: 30%

0.0011

Низкий

5.5 Medium

CVSS3

4.3 Medium

CVSS2

Дефекты

CWE-345

Связанные уязвимости

CVE-2021-28678

CVSS3: 5.5

ubuntu

больше 4 лет назад

CVE-2021-28678

CVSS3: 7.5

redhat

почти 5 лет назад

CVE-2021-28678

CVSS3: 5.5

debian

больше 4 лет назад

An issue was discovered in Pillow before 8.2.0. For BLP data, BlpImage ...

GHSA-hjfx-8p6c-g7gx

CVSS3: 5.5

github

больше 4 лет назад

Insufficient Verification of Data Authenticity in Pillow

SUSE-SU-2024:1607-1

suse-cvrf

больше 1 года назад

Security update for python-Pillow

EPSS

Процентиль: 30%

0.0011

Низкий

5.5 Medium

CVSS3

4.3 Medium

CVSS2

Дефекты

CWE-345