Vulnerability Description
An issue was discovered in Pillow before 8.2.0. For BLP data, BlpImagePlugin did not properly check that reads (after jumping to file offsets) returned data. This could lead to a DoS where the decoder could be run a large number of times on empty data.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Python | Pillow | < 8.2.0 |
| Fedoraproject | Fedora | 33 |
Related Weaknesses (CWE)
References
- https://github.com/python-pillow/Pillow/pull/5377PatchThird Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28678-fRelease NotesVendor Advisory
- https://security.gentoo.org/glsa/202107-33Third Party Advisory
- https://github.com/python-pillow/Pillow/pull/5377PatchThird Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28678-fRelease NotesVendor Advisory
- https://security.gentoo.org/glsa/202107-33Third Party Advisory
FAQ
What is CVE-2021-28678?
CVE-2021-28678 is a vulnerability with a CVSS score of 5.5 (MEDIUM). An issue was discovered in Pillow before 8.2.0. For BLP data, BlpImagePlugin did not properly check that reads (after jumping to file offsets) returned data. This could lead to a DoS where the decoder...
How severe is CVE-2021-28678?
CVE-2021-28678 has been rated MEDIUM with a CVSS base score of 5.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-28678?
Check the references section above for vendor advisories and patch information. Affected products include: Python Pillow, Fedoraproject Fedora.