CVE-2021-28676

CVSS v4.0

8.7

High

Vector

AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions Pillow versions prior to 8.2.0

Description An issue was discovered in the FliDecode component of the Pillow image processing library, related to incorrect checking of non-zero block advance for FLI data. This could potentially lead to an infinite loop when loading data. The issue may allow a remote attacker to cause a denial of service.

Recommendations For versions prior to 8.2.0, update to version 8.2.0 or later to resolve the issue. As a temporary workaround, consider avoiding the use of FLI data with the FliDecode component until a patch is applied.

Fix

Infinite Loop

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-835

Related Identifiers

ALSA-2021:4149

ALT-PU-2021-2460

ALT-PU-2023-7942

ALT-PU-2023-8182

BDU:2021-05238

BIT-PILLOW-2021-28676

CESA-2021_4149

CVE-2021-28676

DLA-2716-1

GHSA-7R7M-5H27-29HP

MGASA-2021-0389

OPENSUSE-SU-2024_1607-1

PYSEC-2021-92

RHSA-2021:4149

RHSA-2021_4149

RLSA-2021:4149

SUSE-SU-2021:1938-1

SUSE-SU-2021:1939-1

SUSE-SU-2021:1940-1

SUSE-SU-2024:1607-1

USN-4963-1

USN-8135-1

Affected Products

Alt Linux

Almalinux

Astra Linux

Centos

Linuxmint

Pillow

Red Hat

Rocky Linux

Suse

Ubuntu

CVE-2021-28676

Weakness Enumeration

Related Identifiers

Affected Products

References · 120