Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2021-28678

Good to know:

icon
icon

Date: June 2, 2021

An issue was discovered in Pillow before 8.2.0. For BLP data, BlpImagePlugin did not properly check that reads (after jumping to file offsets) returned data. This could lead to a DoS where the decoder could be run a large number of times on empty data.

Language: Python

Severity Score

Related Resources (15)

https://security-tracker.debian.org/tracker/CVE-2021-28678
https://github.com/python-pillow/Pillow
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL
https://access.redhat.com/security/cve/CVE-2021-28678
https://github.com/advisories/GHSA-hjfx-8p6c-g7gx
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL/
https://github.com/python-pillow/Pillow/pull/5377
https://nvd.nist.gov/vuln/detail/CVE-2021-28678
https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2021-94.yaml
https://security.gentoo.org/glsa/202107-33
https://security.alpinelinux.org/vuln/CVE-2021-28678
https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28678-fix-blp-dos
https://github.com/python-pillow/Pillow/pull/5377/commits/496245aa4365d0827390bd0b6fbd11287453b3a1
https://www.mend.io/vulnerability-database/CVE-2021-28678

Severity Score

Weakness Type (CWE)

Insufficient Verification of Data Authenticity

CWE-345

Top Fix

icon

Upgrade Version

Upgrade to version pillow - 8.2.0

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): LOCAL
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): REQUIRED
Scope (S): UNCHANGED
Confidentiality (C): NONE
Integrity (I): NONE
Availability (A): HIGH

CVSS v2

Base Score:
Access Vector (AV): NETWORK
Access Complexity (AC): MEDIUM
Authentication (AU): NONE
Confidentiality (C): NONE
Integrity (I): NONE
Availability (A): PARTIAL
Additional information:

Do you need more information?

Contact Us