CVE-2021-27921

2021-03-0300:00:00

ubuntu.com

pillow version

denial of service

large image size

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.002

Percentile

64.4%

JSON

Pillow before 8.1.1 allows attackers to cause a denial of service (memory
consumption) because the reported size of a contained image is not properly
checked for a BLP container, and thus an attempted memory allocation can be
very large.

Notes

Author	Note
mdeslaur	while this is mentioned in the 8.1.1 release notes, it doesn’t seem to be mentioned in the CHANGES file, and I can’t seem to locate the commits that fix this in 8.1.1 vs 8.1.0 This was actually fixed in 8.1.2.

OSVersionArchitecturePackageVersionFilename
ubuntu18.04noarchpillow< 5.1.0-1ubuntu0.5UNKNOWN
ubuntu20.04noarchpillow< 7.0.0-4ubuntu0.3UNKNOWN
ubuntu20.10noarchpillow< 7.2.0-1ubuntu0.2UNKNOWN
ubuntu20.04noarchpillow-python2< anyUNKNOWN

OS	Version	Architecture	Package	Version	Filename
ubuntu	18.04	noarch	pillow	< 5.1.0-1ubuntu0.5	UNKNOWN
ubuntu	20.04	noarch	pillow	< 7.0.0-4ubuntu0.3	UNKNOWN
ubuntu	20.10	noarch	pillow	< 7.2.0-1ubuntu0.2	UNKNOWN
ubuntu	20.04	noarch	pillow-python2	< any	UNKNOWN