CVE-2021-28677

CVSS v4.0

8.7

High

Vector

AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions Pillow versions prior to 8.2.0

Description The issue is related to the readline implementation in the EPSImageFile component of the Pillow library. It uses a quadratic method to accumulate lines while searching for a line ending, which can be exploited by a malicious EPS file to perform a denial of service (DoS) attack. This can happen before an image is accepted for opening. A remote attacker could use this vulnerability to cause a DoS.

Recommendations For Pillow versions prior to 8.2.0, update to version 8.2.0 or later to resolve the issue. As a temporary workaround, consider restricting the use of EPS files until the update is applied.

Fix

RCE

Resource Exhaustion

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-20CWE-400

Related Identifiers

ALSA-2021:4149

ALT-PU-2021-2460

ALT-PU-2023-7942

ALT-PU-2023-8182

BDU:2021-05313

BIT-PILLOW-2021-28677

CESA-2021_4149

CVE-2021-28677

DLA-2716-1

GHSA-Q5HQ-FP76-QMRC

MGASA-2021-0389

OPENSUSE-SU-2024_1607-1

PYSEC-2021-93

RHSA-2021:4149

RHSA-2021_4149

RLSA-2021:4149

SUSE-SU-2021:1938-1

SUSE-SU-2021:1939-1

SUSE-SU-2021:1940-1

SUSE-SU-2024:1607-1

USN-4963-1

USN-8135-1

Affected Products

Alt Linux

Almalinux

Astra Linux

Centos

Linuxmint

Pillow

Red Hat

Rocky Linux

Suse

Ubuntu

CVE-2021-28677

Weakness Enumeration

Related Identifiers

Affected Products

References · 115