VDB
CVE-2021-28678
CVE-2021-28678
PUBLISHED
An issue was discovered in Pillow before 8.2.0. For BLP data, BlpImagePlugin did not properly check that reads (after jumping to file offsets) returned data. This could lead to a DoS where the decoder could be run a large number of times on empty data.
EPSS 0.11% · 29.1th percentile
Risk Scores
EPSS Score
0.11%
29.1th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Bitnami | pillow | 0 |
| Bitnami | pillow | 0 |
Timeline
- May 10, 2021 CVE Published
- Jun 3, 2021 EPSS Score
- Aug 5, 2021 EPSS Score
- Oct 5, 2021 EPSS Score
- Dec 5, 2021 EPSS Score
- Jan 6, 2022 EPSS Score
- Apr 1, 2022 EPSS Score
- Apr 6, 2022 EPSS Score
- Jun 6, 2022 EPSS Score
- Aug 7, 2022 EPSS Score
- Oct 6, 2022 EPSS Score
- Dec 6, 2022 EPSS Score
References
- https://github.com/python-pillow/Pillow/pull/5377 url
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL/ url
- https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28678-fix-blp-dos url
- https://security.gentoo.org/glsa/202107-33 url
- https://nvd.nist.gov/vuln/detail/CVE-2021-28678 url