Vulnerability Details : CVE-2021-28677
An issue was discovered in Pillow before 8.2.0. For EPS data, the readline implementation used in EPSImageFile has to deal with any combination of \r and \n as line endings. It used an accidentally quadratic method of accumulating lines while looking for a line ending. A malicious EPS file could use this to perform a DoS of Pillow in the open phase, before an image was accepted for opening.
Vulnerability category: Denial of service
Products affected by CVE-2021-28677
- cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*
- cpe:2.3:a:python:pillow:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2021-28677
0.16%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 51 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-28677
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:N/A:P |
10.0
|
2.9
|
NIST | |
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
3.9
|
3.6
|
NIST |
References for CVE-2021-28677
-
https://lists.debian.org/debian-lts-announce/2021/07/msg00018.html
[SECURITY] [DLA 2716-1] pillow security updateThird Party Advisory
-
https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28677-fix-eps-dos-on-open
8.2.0 — Pillow (PIL Fork) 8.2.0 documentationThird Party Advisory
-
https://github.com/python-pillow/Pillow/pull/5377
Security fixes for 8.2.0 by hugovk · Pull Request #5377 · python-pillow/Pillow · GitHubPatch;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL/
[SECURITY] Fedora 33 Update: mingw-python-pillow-7.2.0-6.fc33 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://security.gentoo.org/glsa/202107-33
Pillow: Multiple vulnerabilities (GLSA 202107-33) — Gentoo securityThird Party Advisory
Jump to