CVE-2021-28676 - OpenCVE

An issue was discovered in Pillow before 8.2.0. For FLI data, FliDecode did not properly check that the block advance was non-zero, potentially leading to an infinite loop on load.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

AV:N/AC:L/Au:N/C:N/I:N/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Python	Pillow
Fedoraproject	Fedora

Configuration 1 [-]

cpe:2.3:a:python:pillow:*:*:*:*:*:*:*:*

Configuration 2 [-]

cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*

References

Link	Resource
https://github.com/python-pillow/Pillow/commit/bb6c11fb889e6c11b0ee122b828132ee763b5856	Patch
https://github.com/python-pillow/Pillow/pull/5377	Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/07/msg00018.html	Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL/	Mailing List
https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28676-fix-fli-dos	Release Notes Third Party Advisory
https://security.gentoo.org/glsa/202107-33	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2021-06-02T00:00:00

Updated: 2023-11-16T22:21:57.599702

Reserved: 2021-03-18T00:00:00

Link: CVE-2021-28676

JSON object: View

NVD Information

Status : Analyzed

Published: 2021-06-02T16:15:08.797

Modified: 2023-12-22T15:15:07.550

Link: CVE-2021-28676

JSON object: View

Redhat Information

No data.

CWE

CWE-835

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:python:pillow:*:*:*:*:*:*:*:*", "matchCriteriaId": "67AB0921-A1F5-4B3B-BED5-FC8B1DAF30C6", "versionEndExcluding": "8.2.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*", "matchCriteriaId": "E460AA51-FCDA-46B9-AE97-E6676AA5E194", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in Pillow before 8.2.0. For FLI data, FliDecode did not properly check that the block advance was non-zero, potentially leading to an infinite loop on load."}, {"lang": "es", "value": "Se detect\u00f3 un problema en Pillow versiones anteriores a 8.2.0,. En el caso de los datos FLI, la funci\u00f3n FliDecode no comprobaba correctamente que el avance del bloque fuera distinto de cero, lo que pod\u00eda conllevar un bucle infinito en la carga"}], "id": "CVE-2021-28676", "lastModified": "2023-12-22T15:15:07.550", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-06-02T16:15:08.797", "references": [{"source": "cve@mitre.org", "tags": ["Patch"], "url": "https://github.com/python-pillow/Pillow/commit/bb6c11fb889e6c11b0ee122b828132ee763b5856"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://github.com/python-pillow/Pillow/pull/5377"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00018.html"}, {"source": "cve@mitre.org", "tags": ["Mailing List"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL/"}, {"source": "cve@mitre.org", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28676-fix-fli-dos"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202107-33"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-835"}], "source": "nvd@nist.gov", "type": "Primary"}]}