Published: 02/06/2021 Updated: 22/12/2023

CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10

CVSS v3 Base Score: 7.5 | Impact Score: 3.6 | Exploitability Score: 3.9

VMScore: 445

Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P

An issue exists in Pillow prior to 8.2.0. For FLI data, FliDecode did not properly check that the block advance was non-zero, potentially leading to an infinite loop on load.

Vulnerable Product	Search on Vulmon	Subscribe to Product
python pillow
fedoraproject fedora 33

Debian Bug report logs - #989062 CVE-2021-25287 CVE-2021-25288 CVE-2021-28675 CVE-2021-28676 CVE-2021-28677 CVE-2021-28678 Package: src:pillow; Maintainer for src:pillow is Matthias Klose <doko@debianorg>; Reported by: Moritz Muehlenhoff <jmm@debianorg> Date: Mon, 24 May 2021 20:57:04 UTC Severity: important Tags: ...

Pillow before 270 allows remote attackers to cause a denial of service via a compressed text chunk in a PNG image that has a large size when it is decompressed (CVE-2014-9601) Pillow before 332 allows context-dependent attackers to execute arbitrary code by using the "crafted image file" approach, related to an "Insecure Sign Extension" issue ...

CWE-835 https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28676-fix-fli-dos https://github.com/python-pillow/Pillow/pull/5377 https://security.gentoo.org/glsa/202107-33 https://lists.debian.org/debian-lts-announce/2021/07/msg00018.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL/https://github.com/python-pillow/Pillow/commit/bb6c11fb889e6c11b0ee122b828132ee763b5856 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989062 https://nvd.nist.gov https://alas.aws.amazon.com/AL2/ALAS-2023-2083.html

CVE-2021-28676

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

References

Vulmon Search

About

Products

Connect