Vulnerability Details : CVE-2021-23437

The package pillow 5.2.0 and before 8.3.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the getrgb function.

Vulnerability category: Denial of service

Published 2021-09-03 16:15:08

Updated 2023-01-31 17:28:56

Source Snyk

View at NVD, CVE.org

Exploit prediction scoring system (EPSS) score for CVE-2021-23437

Probability of exploitation activity in the next 30 days: 0.38%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 70 % EPSS Score History EPSS FAQ

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Source
5.0	MEDIUM	AV:N/AC:L/Au:N/C:N/I:N/A:P	10.0	2.9	nvd@nist.gov
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: None Integrity Impact: None Availability Impact: Partial
7.5	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H	3.9	3.6	nvd@nist.gov
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: None Availability: High
7.5	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H	3.9	3.6	report@snyk.io
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: None Availability: High

CWE-125 Out-of-bounds Read

The product reads data past the end, or before the beginning, of the intended buffer.

Assigned by: nvd@nist.gov (Primary)

https://security.gentoo.org/glsa/202211-10

Pillow: Multiple Vulnerabilities (GLSA 202211-10) — Gentoo security
Third Party Advisory

CVEs referencing this url
https://pillow.readthedocs.io/en/stable/releasenotes/8.3.2.html

8.3.2 — Pillow (PIL Fork) 8.3.2 documentation
Release Notes;Vendor Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RNSG6VFXTAROGF7ACYLMAZNQV4EJ6I2C/

[SECURITY] Fedora 34 Update: mingw-python-pillow-8.1.2-4.fc34 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VKRCL7KKAKOXCVD7M6WC5OKFGL4L3SJT/

[SECURITY] Fedora 33 Update: python2-pillow-6.2.2-7.fc33 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory
https://snyk.io/vuln/SNYK-PYTHON-PILLOW-1319443

Regular Expression Denial of Service (ReDoS) in pillow | Snyk
Exploit;Patch;Release Notes;Third Party Advisory
https://github.com/python-pillow/Pillow/commit/9e08eb8f78fdfd2f476e1b20b7cf38683754866b

Raise ValueError if color specifier is too long · python-pillow/Pillow@9e08eb8 · GitHub
Patch;Third Party Advisory

Fedoraproject » Fedora » Version: 33
cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*
Matching versions
Fedoraproject » Fedora » Version: 34
cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*
Matching versions
Python » Pillow
Versions from including (>=) 5.2.0 and before (<) 8.3.2
cpe:2.3:a:python:pillow:*:*:*:*:*:*:*:*
Matching versions