Miggo Logo

CVE-2021-25287: Out-of-bounds Read in Pillow

9.1

CVSS Score
3.1

Basic Information

EPSS Score
0.4958%
Published
6/8/2021
Updated
10/9/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
Pillowpip>= 2.4.0, < 8.2.08.2.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The commit diff shows critical changes in j2k_decode_entry where component width calculation was modified. Previously, it used 'components' (hardcoded to 4 for 3-component images), which didn't account for variable component widths. The vulnerability stemmed from improper tile_bytes calculation (tile_width * tile_height * components), which could underallocate buffers. The patch introduces 'total_component_width' that properly sums per-component sizes, confirming this was the vulnerable code path. While the CVE mentions j2ku_graya_la, this appears to be a specific case handled within j2k_decode_entry's general J2K decoding logic.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n issu* w*s *is*ov*r** in Pillow ***or* *.*.*. T**r* is *n out-o*-*oun*s r*** in J*k***o**, in j*ku_*r*y*_l*.

Reasoning

T** *ommit *i** s*ows *riti**l ***n**s in j*k_***o**_*ntry w**r* *ompon*nt wi*t* **l*ul*tion w*s mo*i*i**. Pr*viously, it us** '*ompon*nts' (**r**o*** to * *or *-*ompon*nt im***s), w*i** *i*n't ***ount *or v*ri**l* *ompon*nt wi*t*s. T** vuln*r**ility