| Vulnerability Name: | CVE-2021-28678 (CCN-203003) | ||||||||||||||||||
| Assigned: | 2021-01-17 | ||||||||||||||||||
| Published: | 2021-01-17 | ||||||||||||||||||
| Updated: | 2021-09-14 | ||||||||||||||||||
| Summary: | An issue was discovered in Pillow before 8.2.0. For BLP data, BlpImagePlugin did not properly check that reads (after jumping to file offsets) returned data. This could lead to a DoS where the decoder could be run a large number of times on empty data. | ||||||||||||||||||
| CVSS v3 Severity: | 5.5 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) 4.8 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
4.8 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
6.5 Medium (REDHAT Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
| ||||||||||||||||||
| CVSS v2 Severity: | 4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P)
| ||||||||||||||||||
| Vulnerability Type: | CWE-345 CWE-20 | ||||||||||||||||||
| Vulnerability Consequences: | Denial of Service | ||||||||||||||||||
| References: | Source: MITRE Type: CNA CVE-2021-28678 Source: XF Type: UNKNOWN pillow-cve202128678-dos(203003) Source: MISC Type: Patch, Third Party Advisory https://github.com/python-pillow/Pillow/pull/5377 Source: FEDORA Type: Mailing List, Third Party Advisory FEDORA-2021-77756994ba Source: CCN Type: Pillow Web site Pillow Source: MISC Type: Release Notes, Vendor Advisory https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28678-fix-blp-dos Source: GENTOO Type: Third Party Advisory GLSA-202107-33 | ||||||||||||||||||
| Vulnerable Configuration: | Configuration 1: Configuration 2: Configuration RedHat 1: Configuration RedHat 2:  Denotes that component is vulnerable | ||||||||||||||||||
| Oval Definitions | |||||||||||||||||||
| |||||||||||||||||||
| BACK | |||||||||||||||||||