PT-2021-6817 · Pillow+6 · Pillow+6

Liyuan Chen

Published

2021-09-03

Updated

2024-06-15

CVE-2021-23437

CVSS v4.0

8.7

High

Vector

AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions Pillow versions 5.2.0 through 8.3.2 Pillow versions prior to 8.3.2

Description The issue is related to a Regular Expression Denial of Service (ReDoS) via the getrgb function, which can lead to uncontrolled resource consumption. This allows a remote attacker to cause a denial of service.

Recommendations For Pillow versions 5.2.0 through 8.3.2, update to a version after 8.3.2 to resolve the issue. For Pillow versions prior to 8.3.2, update to a version after 8.3.2 to resolve the issue. As a temporary workaround, consider disabling the getrgb function until a patch is available.

Exploit

Fix

DoS

Resource Exhaustion

Out of bounds Read

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-400CWE-125

Related Identifiers

ALT-PU-2021-3028

ALT-PU-2023-7942

ALT-PU-2023-8182

BDU:2022-02242

BIT-PILLOW-2021-23437

CVE-2021-23437

DLA-3768-1

GHSA-98VV-PW6R-Q6Q4

MGASA-2021-0448

OESA-2021-1383

OPENSUSE-SU-2024:11209-1

OPENSUSE-SU-2024:13827-1

OPENSUSE-SU-2024_1673-1

PYSEC-2021-317

SNYK-PYTHON-PILLOW-1319443

SUSE-SU-2021:3234-1

SUSE-SU-2021:3235-1

SUSE-SU-2024:1673-1

SUSE-SU-2024:1673-2

USN-5227-1

USN-5227-2

Affected Products

Alt Linux

Astra Linux

Debian

Linuxmint

Pillow

Suse

Ubuntu

PT-2021-6817 · Pillow+6 · Pillow+6

CVE-2021-23437

Weakness Enumeration

Related Identifiers

Affected Products

References · 93