PT-2021-6916 · Pypi+4 · Pillow+4

Published

2021-03-03

Updated

2024-06-15

CVE-2021-25289

CVSS v3.1

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Pillow versions prior to 8.1.1

Description The issue is caused by a heap-based buffer overflow in the Pillow library when decoding crafted YCbCr files, potentially allowing a remote attacker to impact the confidentiality and integrity of protected information. This occurs due to certain interpretation conflicts with LibTIFF in RGBA mode.

Recommendations For Pillow versions prior to 8.1.1, update to version 8.1.1 or later to resolve the issue. As a temporary workaround, consider avoiding the use of the TiffDecode function when decoding YCbCr files in RGBA mode until a patch is available. Restrict access to sensitive image files to minimize the risk of exploitation.

Fix

Memory Corruption

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-787

Related Identifiers

ALT-PU-2021-1491

BDU:2022-02667

BIT-PILLOW-2021-25289

CVE-2021-25289

GHSA-57H3-9RGR-C24M

OPENSUSE-SU-2021:1134-1

OPENSUSE-SU-2021_1134-1

OPENSUSE-SU-2024:11209-1

OPENSUSE-SU-2024:13827-1

OPENSUSE-SU-2024_1673-1

PYSEC-2021-35

SUSE-SU-2024:1673-1

SUSE-SU-2024:1673-2

USN-4763-1

Affected Products

Alt Linux

Linuxmint

Pillow

Suse

Ubuntu

PT-2021-6916 · Pypi+4 · Pillow+4

CVE-2021-25289

Weakness Enumeration

Related Identifiers

Affected Products

References · 79