Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2021-28677

Опубликовано: 01 апр. 2021
Источник: redhat
CVSS3: 7.5
EPSS Низкий

Описание

An issue was discovered in Pillow before 8.2.0. For EPS data, the readline implementation used in EPSImageFile has to deal with any combination of \r and \n as line endings. It used an accidentally quadratic method of accumulating lines while looking for a line ending. A malicious EPS file could use this to perform a DoS of Pillow in the open phase, before an image was accepted for opening.

A flaw was found in python-pillow. The readline used in EPS has to deal with any combination of \r and \n as line endings. It accidentally used a quadratic method of accumulating lines while looking for a line ending. A malicious EPS file could use this to perform a denial-of-service of Pillow in the open phase, before an image was accepted for opening.

Меры по смягчению последствий

To mitigate this feature on Red Hat Quay keep the invoice generation feature disabled, as it is by default.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Enterprise Linux 7python-pillowOut of support scope
Red Hat Quay 3quay/quay-rhel8Affected
Red Hat Enterprise Linux 8python-pillowFixedRHSA-2021:414909.11.2021

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-20
https://bugzilla.redhat.com/show_bug.cgi?id=1958257python-pillow: Excessive CPU use in EPS image reader

EPSS

Процентиль: 49%
0.00263
Низкий

7.5 High

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2021-28677

CVSS3: 7.5
ubuntu
больше 4 лет назад

An issue was discovered in Pillow before 8.2.0. For EPS data, the readline implementation used in EPSImageFile has to deal with any combination of \r and \n as line endings. It used an accidentally quadratic method of accumulating lines while looking for a line ending. A malicious EPS file could use this to perform a DoS of Pillow in the open phase, before an image was accepted for opening.

nvd логотип

CVE-2021-28677

CVSS3: 7.5
nvd
больше 4 лет назад

An issue was discovered in Pillow before 8.2.0. For EPS data, the readline implementation used in EPSImageFile has to deal with any combination of \r and \n as line endings. It used an accidentally quadratic method of accumulating lines while looking for a line ending. A malicious EPS file could use this to perform a DoS of Pillow in the open phase, before an image was accepted for opening.

debian логотип

CVE-2021-28677

CVSS3: 7.5
debian
больше 4 лет назад

An issue was discovered in Pillow before 8.2.0. For EPS data, the read ...

github логотип

GHSA-q5hq-fp76-qmrc

CVSS3: 7.5
github
больше 4 лет назад

Uncontrolled Resource Consumption in Pillow

fstec логотип

BDU:2021-05313

CVSS3: 7.5
fstec
почти 5 лет назад

Уязвимость реализации readline компонента EPSImageFile библиотеки для работы с изображениями Pillow, связанная с недостаточной проверкой входных данных, позволяющая нарушителю вызвать отказ в обслуживании

EPSS

Процентиль: 49%
0.00263
Низкий

7.5 High

CVSS3