CVE-2021-28677
Uncontrolled Resource Consumption in Pillow
7.5
HIGH
CVSS 3.1
EPSS 0.29%
Description
An issue was discovered in Pillow before 8.2.0. For EPS data, the readline implementation used in EPSImageFile has to deal with any combination of \r and \n as line endings. It used an accidentally quadratic method of accumulating lines while looking for a line ending. A malicious EPS file could use this to perform a DoS of Pillow in the open phase, before an image was accepted for opening.
How to fix CVE-2021-28677
To remediate CVE-2021-28677, upgrade the affected package to a fixed version below.
- —upgrade to 8.2.0-r0 or later
- —upgrade to 8.2.0 or later
- —upgrade to 8.1.2+dfsg-0.2 or later
- —upgrade to 8.2.0 or later
- —upgrade to 8.2.0 or later
Is CVE-2021-28677 being exploited?
Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.
Affected packages (5)
- from 0, < 8.2.0-r0
- from 0, < 8.2.0
- from 0, < 8.1.2+dfsg-0.2
- from 0, < 8.2.0
- from 0, < 8.2.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |