Miggo Logo
Miggo Vulnerability Database
CVE-2021-28678

CVE-2021-28678: Insufficient Verification of Data Authenticity in Pillow

5.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2021-28678
GHSA ID
GHSA-hjfx-8p6c-g7gx
EPSS Score
0.25592%
CWE
CWE-345
Published
6/8/2021
Updated
10/14/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
Pillowpip>= 5.1.0, < 8.2.08.2.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from multiple functions in BlpImagePlugin.py using direct file descriptor reads (fd.read()) without verifying the returned data length. The commit diff shows replacements of fd.read() with _safe_read() (which validates read lengths) in these functions. Specifically: 1) _read_palette handled color data without length checks, 2) _read_blp_header parsed critical offsets without validation, and 3) Blp1Decoder._load processed image streams without verifying read success. These unverified reads allowed attackers to trigger repeated decoder executions on empty/invalid data, enabling the DoS vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n issu* w*s *is*ov*r** in Pillow ***or* *.*.*. *or *LP **t*, *lpIm***Plu*in *i* not prop*rly ****k t**t r***s (**t*r jumpin* to *il* o**s*ts) r*turn** **t*. T*is *oul* l*** to * *oS w**r* t** ***o**r *oul* ** run * l*r** num**r o* tim*s on *mpty **t

Reasoning

T** vuln*r**ility st*ms *rom multipl* *un*tions in *lpIm***Plu*in.py usin* *ir**t *il* **s*riptor r***s (**.r***()) wit*out v*ri*yin* t** r*turn** **t* l*n*t*. T** *ommit *i** s*ows r*pl***m*nts o* **.r***() wit* _s***_r***() (w*i** v*li**t*s r*** l*