Skip to content

Uncontrolled Resource Consumption in pillow

Moderate severity GitHub Reviewed Published Apr 22, 2021 in rhh/pyVulApp • Updated Jan 9, 2023

Package

pip pillow (pip)

Affected versions

< 8.1.1

Patched versions

8.1.2

Description

Impact

Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for a BLP container, and thus an attempted memory allocation can be very large.

Patches

An issue was discovered in Pillow before 6.2.0. When reading specially crafted invalid image files, the library can either allocate very large amounts of memory or take an extremely long period of time to process the image.

Workarounds

An issue was discovered in Pillow before 6.2.0. When reading specially crafted invalid image files, the library can either allocate very large amounts of memory or take an extremely long period of time to process the image.

References

https://nvd.nist.gov/vuln/detail/CVE-2021-27921

For more information

If you have any questions or comments about this advisory:

References

@rhh rhh published to rhh/pyVulApp Apr 22, 2021
Reviewed Apr 22, 2021
Published to the GitHub Advisory Database Apr 23, 2021
Last updated Jan 9, 2023

Severity

Moderate

Weaknesses

CVE ID

No known CVE

GHSA ID

GHSA-jgpv-4h4c-xhw3

Source code

No known source code
Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.