CVE-2021-28678: Insufficient Verification of Data Authenticity in Pillow
5.5
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.25592%
CWE
Published
6/8/2021
Updated
10/14/2024
KEV Status
No
Technology
Python
Technical Details
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
Pillow | pip | >= 5.1.0, < 8.2.0 | 8.2.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from multiple functions in BlpImagePlugin.py using direct file descriptor reads (fd.read()) without verifying the returned data length. The commit diff shows replacements of fd.read() with _safe_read() (which validates read lengths) in these functions. Specifically: 1) _read_palette handled color data without length checks, 2) _read_blp_header parsed critical offsets without validation, and 3) Blp1Decoder._load processed image streams without verifying read success. These unverified reads allowed attackers to trigger repeated decoder executions on empty/invalid data, enabling the DoS vulnerability.