Miggo Logo

CVE-2021-28678: Insufficient Verification of Data Authenticity in Pillow

5.5

CVSS Score
3.1

Basic Information

EPSS Score
0.25592%
Published
6/8/2021
Updated
10/14/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
Pillowpip>= 5.1.0, < 8.2.08.2.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from multiple functions in BlpImagePlugin.py using direct file descriptor reads (fd.read()) without verifying the returned data length. The commit diff shows replacements of fd.read() with _safe_read() (which validates read lengths) in these functions. Specifically: 1) _read_palette handled color data without length checks, 2) _read_blp_header parsed critical offsets without validation, and 3) Blp1Decoder._load processed image streams without verifying read success. These unverified reads allowed attackers to trigger repeated decoder executions on empty/invalid data, enabling the DoS vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n issu* w*s *is*ov*r** in Pillow ***or* *.*.*. *or *LP **t*, *lpIm***Plu*in *i* not prop*rly ****k t**t r***s (**t*r jumpin* to *il* o**s*ts) r*turn** **t*. T*is *oul* l*** to * *oS w**r* t** ***o**r *oul* ** run * l*r** num**r o* tim*s on *mpty **t

Reasoning

T** vuln*r**ility st*ms *rom multipl* *un*tions in *lpIm***Plu*in.py usin* *ir**t *il* **s*riptor r***s (**.r***()) wit*out v*ri*yin* t** r*turn** **t* l*n*t*. T** *ommit *i** s*ows r*pl***m*nts o* **.r***() wit* _s***_r***() (w*i** v*li**t*s r*** l*