CVE-2021-28678

CVSS v3.1

9.1

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

Name of the Vulnerable Software and Affected Versions: Pillow versions prior to 8.2.0

Description: An issue was discovered in Pillow where the BlpImagePlugin did not properly check that reads, after jumping to file offsets, returned data for BLP data. This could lead to a denial of service (DoS) where the decoder could be run a large number of times on empty data.

Recommendations: For versions prior to 8.2.0, update to version 8.2.0 or later to resolve the issue. As a temporary workaround, consider restricting the use of the BlpImagePlugin to minimize the risk of exploitation.

Fix

DoS

Insufficient Verification of Data Authenticity

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-345

Related Identifiers

ALSA-2021:4149

ALT-PU-2021-2460

ALT-PU-2023-7942

ALT-PU-2023-8182

BIT-PILLOW-2021-28678

CESA-2021_4149

CVE-2021-28678

GHSA-HJFX-8P6C-G7GX

MGASA-2021-0389

OPENSUSE-SU-2024_1607-1

PYSEC-2021-94

RHSA-2021:4149

RHSA-2021_4149

RLSA-2021:4149

SUSE-SU-2021:1938-1

SUSE-SU-2024:1607-1

USN-4963-1

Affected Products

Alt Linux

Almalinux

Astra Linux

Centos

Linuxmint

Pillow

Red Hat

Rocky Linux

Suse

Ubuntu

CVE-2021-28678

Weakness Enumeration

Related Identifiers

Affected Products

References · 98