Vulnerability-Lookup

WID-SEC-W-2022-1835

Vulnerability from csaf_certbund - Published: 2021-11-09 23:00 - Updated: 2026-03-30 22:00

Summary

Red Hat Enterprise Linux (python-pillow): Mehrere Schwachstellen

Severity

Hoch

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung: Red Hat Enterprise Linux (RHEL) ist eine populäre Linux-Distribution.

Angriff: Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Red Hat Enterprise Linux in python-pillow ausnutzen, um einen Denial of Service Angriff durchzuführen und vertrauliche Informationen offenzulegen.

Betroffene Betriebssysteme: - Linux - UNIX

CVE-2020-35653

Affected products

Known affected 5 products

Product	Identifier	Version
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
Open Source Python Pillow Open Source / Python	`cpe:/a:python:python:pillow`	Pillow
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—
Red Hat Enterprise Linux 8 Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:8`	8

CVE-2020-35655

Affected products

Known affected 5 products

Product	Identifier	Version
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
Open Source Python Pillow Open Source / Python	`cpe:/a:python:python:pillow`	Pillow
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—
Red Hat Enterprise Linux 8 Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:8`	8

CVE-2021-25287

Affected products

Known affected 5 products

Product	Identifier	Version
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
Open Source Python Pillow Open Source / Python	`cpe:/a:python:python:pillow`	Pillow
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—
Red Hat Enterprise Linux 8 Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:8`	8

CVE-2021-25288

Affected products

Known affected 5 products

Product	Identifier	Version
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
Open Source Python Pillow Open Source / Python	`cpe:/a:python:python:pillow`	Pillow
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—
Red Hat Enterprise Linux 8 Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:8`	8

CVE-2021-25290

Affected products

Known affected 5 products

Product	Identifier	Version
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
Open Source Python Pillow Open Source / Python	`cpe:/a:python:python:pillow`	Pillow
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—
Red Hat Enterprise Linux 8 Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:8`	8

CVE-2021-25292

Affected products

Known affected 5 products

Product	Identifier	Version
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
Open Source Python Pillow Open Source / Python	`cpe:/a:python:python:pillow`	Pillow
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—
Red Hat Enterprise Linux 8 Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:8`	8

CVE-2021-25293

Affected products

Known affected 5 products

Product	Identifier	Version
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
Open Source Python Pillow Open Source / Python	`cpe:/a:python:python:pillow`	Pillow
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—
Red Hat Enterprise Linux 8 Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:8`	8

CVE-2021-27921

Affected products

Known affected 5 products

Product	Identifier	Version
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
Open Source Python Pillow Open Source / Python	`cpe:/a:python:python:pillow`	Pillow
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—
Red Hat Enterprise Linux 8 Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:8`	8

CVE-2021-27922

Affected products

Known affected 5 products

Product	Identifier	Version
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
Open Source Python Pillow Open Source / Python	`cpe:/a:python:python:pillow`	Pillow
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—
Red Hat Enterprise Linux 8 Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:8`	8

CVE-2021-27923

Affected products

Known affected 5 products

Product	Identifier	Version
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
Open Source Python Pillow Open Source / Python	`cpe:/a:python:python:pillow`	Pillow
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—
Red Hat Enterprise Linux 8 Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:8`	8

CVE-2021-28675

Affected products

Known affected 5 products

Product	Identifier	Version
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
Open Source Python Pillow Open Source / Python	`cpe:/a:python:python:pillow`	Pillow
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—
Red Hat Enterprise Linux 8 Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:8`	8

CVE-2021-28676

Affected products

Known affected 5 products

Product	Identifier	Version
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
Open Source Python Pillow Open Source / Python	`cpe:/a:python:python:pillow`	Pillow
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—
Red Hat Enterprise Linux 8 Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:8`	8

CVE-2021-28677

Affected products

Known affected 5 products

Product	Identifier	Version
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
Open Source Python Pillow Open Source / Python	`cpe:/a:python:python:pillow`	Pillow
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—
Red Hat Enterprise Linux 8 Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:8`	8

CVE-2021-28678

Affected products

Known affected 5 products

Product	Identifier	Version
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
Open Source Python Pillow Open Source / Python	`cpe:/a:python:python:pillow`	Pillow
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—
Red Hat Enterprise Linux 8 Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:8`	8

CVE-2021-34552

Affected products

Known affected 5 products

Product	Identifier	Version
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
Open Source Python Pillow Open Source / Python	`cpe:/a:python:python:pillow`	Pillow
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—
Red Hat Enterprise Linux 8 Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:8`	8

References

12 references

URL	Category
https://wid.cert-bund.de/.well-known/csaf/white/2…	self
https://wid.cert-bund.de/portal/wid/securityadvis…	self
https://access.redhat.com/errata/RHSA-2021:4149	external
https://access.redhat.com/errata/RHSA-2021:4702	external
https://packetstormsecurity.com/files/165588/USN-…	external
https://ubuntu.com/security/notices/USN-5227-3	external
https://alas.aws.amazon.com/AL2/ALAS-2023-2083.html	external
https://alas.aws.amazon.com/AL2/ALAS-2023-2087.html	external
https://alas.aws.amazon.com/AL2/ALAS-2023-2105.html	external
https://lists.opensuse.org/archives/list/security…	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://ubuntu.com/security/notices/USN-8135-1	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "hoch"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Red Hat Enterprise Linux (RHEL) ist eine popul\u00e4re Linux-Distribution.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Red Hat Enterprise Linux in python-pillow ausnutzen, um einen Denial of Service Angriff durchzuf\u00fchren und vertrauliche Informationen offenzulegen.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Linux\n- UNIX",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2022-1835 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2021/wid-sec-w-2022-1835.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2022-1835 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1835"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory vom 2021-11-09",
        "url": "https://access.redhat.com/errata/RHSA-2021:4149"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2021:4702 vom 2021-11-16",
        "url": "https://access.redhat.com/errata/RHSA-2021:4702"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-5227-1 vom 2022-01-17",
        "url": "https://packetstormsecurity.com/files/165588/USN-5227-2.txt"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-5227-3 vom 2022-10-24",
        "url": "https://ubuntu.com/security/notices/USN-5227-3"
      },
      {
        "category": "external",
        "summary": "Amazon Linux Security Advisory ALAS2-2023-2083 vom 2023-06-08",
        "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2083.html"
      },
      {
        "category": "external",
        "summary": "Amazon Linux Security Advisory ALAS-2023-2087 vom 2023-06-13",
        "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2087.html"
      },
      {
        "category": "external",
        "summary": "Amazon Linux Security Advisory ALAS2-2023-2105 vom 2023-07-01",
        "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2105.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2024:1607-1 vom 2024-05-11",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/G2ZGHJ52ROAMO32KNZTUOETPD6QKSIDY/"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2024:1673-2 vom 2024-06-13",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-June/018714.html"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-8135-1 vom 2026-03-31",
        "url": "https://ubuntu.com/security/notices/USN-8135-1"
      }
    ],
    "source_lang": "en-US",
    "title": "Red Hat Enterprise Linux (python-pillow): Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2026-03-30T22:00:00.000+00:00",
      "generator": {
        "date": "2026-03-31T11:44:10.723+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.5.0"
        }
      },
      "id": "WID-SEC-W-2022-1835",
      "initial_release_date": "2021-11-09T23:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2021-11-09T23:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2021-11-10T23:00:00.000+00:00",
          "number": "2",
          "summary": "Anpassung"
        },
        {
          "date": "2021-11-16T23:00:00.000+00:00",
          "number": "3",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2022-01-17T23:00:00.000+00:00",
          "number": "4",
          "summary": "Neue Updates von Ubuntu aufgenommen"
        },
        {
          "date": "2022-10-24T22:00:00.000+00:00",
          "number": "5",
          "summary": "Neue Updates von Ubuntu aufgenommen"
        },
        {
          "date": "2023-06-08T22:00:00.000+00:00",
          "number": "6",
          "summary": "Neue Updates von Amazon aufgenommen"
        },
        {
          "date": "2023-06-12T22:00:00.000+00:00",
          "number": "7",
          "summary": "Neue Updates von Amazon aufgenommen"
        },
        {
          "date": "2023-07-02T22:00:00.000+00:00",
          "number": "8",
          "summary": "Neue Updates von Amazon aufgenommen"
        },
        {
          "date": "2024-05-12T22:00:00.000+00:00",
          "number": "9",
          "summary": "Neue Updates von SUSE aufgenommen"
        },
        {
          "date": "2024-06-13T22:00:00.000+00:00",
          "number": "10",
          "summary": "Neue Updates von SUSE aufgenommen"
        },
        {
          "date": "2026-03-30T22:00:00.000+00:00",
          "number": "11",
          "summary": "Neue Updates von Ubuntu aufgenommen"
        }
      ],
      "status": "final",
      "version": "11"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Amazon Linux 2",
            "product": {
              "name": "Amazon Linux 2",
              "product_id": "398363",
              "product_identification_helper": {
                "cpe": "cpe:/o:amazon:linux_2:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Amazon"
      },
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "Pillow",
                "product": {
                  "name": "Open Source Python Pillow",
                  "product_id": "T020996",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:python:python:pillow"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Python"
          }
        ],
        "category": "vendor",
        "name": "Open Source"
      },
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "8",
                "product": {
                  "name": "Red Hat Enterprise Linux 8",
                  "product_id": "T014111",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:enterprise_linux:8"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Enterprise Linux"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "SUSE Linux",
            "product": {
              "name": "SUSE Linux",
              "product_id": "T002207",
              "product_identification_helper": {
                "cpe": "cpe:/o:suse:suse_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Ubuntu Linux",
            "product": {
              "name": "Ubuntu Linux",
              "product_id": "T000126",
              "product_identification_helper": {
                "cpe": "cpe:/o:canonical:ubuntu_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Ubuntu"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2020-35653",
      "product_status": {
        "known_affected": [
          "T002207",
          "T000126",
          "T020996",
          "398363",
          "T014111"
        ]
      },
      "release_date": "2021-11-09T23:00:00.000+00:00",
      "title": "CVE-2020-35653"
    },
    {
      "cve": "CVE-2020-35655",
      "product_status": {
        "known_affected": [
          "T002207",
          "T000126",
          "T020996",
          "398363",
          "T014111"
        ]
      },
      "release_date": "2021-11-09T23:00:00.000+00:00",
      "title": "CVE-2020-35655"
    },
    {
      "cve": "CVE-2021-25287",
      "product_status": {
        "known_affected": [
          "T002207",
          "T000126",
          "T020996",
          "398363",
          "T014111"
        ]
      },
      "release_date": "2021-11-09T23:00:00.000+00:00",
      "title": "CVE-2021-25287"
    },
    {
      "cve": "CVE-2021-25288",
      "product_status": {
        "known_affected": [
          "T002207",
          "T000126",
          "T020996",
          "398363",
          "T014111"
        ]
      },
      "release_date": "2021-11-09T23:00:00.000+00:00",
      "title": "CVE-2021-25288"
    },
    {
      "cve": "CVE-2021-25290",
      "product_status": {
        "known_affected": [
          "T002207",
          "T000126",
          "T020996",
          "398363",
          "T014111"
        ]
      },
      "release_date": "2021-11-09T23:00:00.000+00:00",
      "title": "CVE-2021-25290"
    },
    {
      "cve": "CVE-2021-25292",
      "product_status": {
        "known_affected": [
          "T002207",
          "T000126",
          "T020996",
          "398363",
          "T014111"
        ]
      },
      "release_date": "2021-11-09T23:00:00.000+00:00",
      "title": "CVE-2021-25292"
    },
    {
      "cve": "CVE-2021-25293",
      "product_status": {
        "known_affected": [
          "T002207",
          "T000126",
          "T020996",
          "398363",
          "T014111"
        ]
      },
      "release_date": "2021-11-09T23:00:00.000+00:00",
      "title": "CVE-2021-25293"
    },
    {
      "cve": "CVE-2021-27921",
      "product_status": {
        "known_affected": [
          "T002207",
          "T000126",
          "T020996",
          "398363",
          "T014111"
        ]
      },
      "release_date": "2021-11-09T23:00:00.000+00:00",
      "title": "CVE-2021-27921"
    },
    {
      "cve": "CVE-2021-27922",
      "product_status": {
        "known_affected": [
          "T002207",
          "T000126",
          "T020996",
          "398363",
          "T014111"
        ]
      },
      "release_date": "2021-11-09T23:00:00.000+00:00",
      "title": "CVE-2021-27922"
    },
    {
      "cve": "CVE-2021-27923",
      "product_status": {
        "known_affected": [
          "T002207",
          "T000126",
          "T020996",
          "398363",
          "T014111"
        ]
      },
      "release_date": "2021-11-09T23:00:00.000+00:00",
      "title": "CVE-2021-27923"
    },
    {
      "cve": "CVE-2021-28675",
      "product_status": {
        "known_affected": [
          "T002207",
          "T000126",
          "T020996",
          "398363",
          "T014111"
        ]
      },
      "release_date": "2021-11-09T23:00:00.000+00:00",
      "title": "CVE-2021-28675"
    },
    {
      "cve": "CVE-2021-28676",
      "product_status": {
        "known_affected": [
          "T002207",
          "T000126",
          "T020996",
          "398363",
          "T014111"
        ]
      },
      "release_date": "2021-11-09T23:00:00.000+00:00",
      "title": "CVE-2021-28676"
    },
    {
      "cve": "CVE-2021-28677",
      "product_status": {
        "known_affected": [
          "T002207",
          "T000126",
          "T020996",
          "398363",
          "T014111"
        ]
      },
      "release_date": "2021-11-09T23:00:00.000+00:00",
      "title": "CVE-2021-28677"
    },
    {
      "cve": "CVE-2021-28678",
      "product_status": {
        "known_affected": [
          "T002207",
          "T000126",
          "T020996",
          "398363",
          "T014111"
        ]
      },
      "release_date": "2021-11-09T23:00:00.000+00:00",
      "title": "CVE-2021-28678"
    },
    {
      "cve": "CVE-2021-34552",
      "product_status": {
        "known_affected": [
          "T002207",
          "T000126",
          "T020996",
          "398363",
          "T014111"
        ]
      },
      "release_date": "2021-11-09T23:00:00.000+00:00",
      "title": "CVE-2021-34552"
    }
  ]
}

CVE-2020-35653 (GCVE-0-2020-35653)

Vulnerability from cvelistv5 – Published: 2021-01-12 08:02 – Updated: 2024-08-04 17:09

Summary

In Pillow before 8.1.0, PcxDecode has a buffer over-read when decoding a crafted PCX file because the user-supplied stride value is trusted for buffer calculations.

Severity

No CVSS data available.

CWE

Assigner

mitre

References

4 references

URL	Tags
https://pillow.readthedocs.io/en/stable/releaseno…	x_refsource_MISC
https://lists.fedoraproject.org/archives/list/pac…	vendor-advisoryx_refsource_FEDORA
https://lists.fedoraproject.org/archives/list/pac…	vendor-advisoryx_refsource_FEDORA
https://lists.debian.org/debian-lts-announce/2021…	mailing-listx_refsource_MLIST

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T17:09:14.596Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://pillow.readthedocs.io/en/stable/releasenotes/index.html"
          },
          {
            "name": "FEDORA-2021-a8ddc1ce70",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6BYVI5G44MRIPERKYDQEL3S3YQCZTVHE/"
          },
          {
            "name": "FEDORA-2021-880aa7bd27",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BF553AMNNNBW7SH4IM4MNE4M6GNZQ7YD/"
          },
          {
            "name": "[debian-lts-announce] 20210722 [SECURITY] [DLA 2716-1] pillow security update",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00018.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In Pillow before 8.1.0, PcxDecode has a buffer over-read when decoding a crafted PCX file because the user-supplied stride value is trusted for buffer calculations."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-07-22T12:06:13.000Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://pillow.readthedocs.io/en/stable/releasenotes/index.html"
        },
        {
          "name": "FEDORA-2021-a8ddc1ce70",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6BYVI5G44MRIPERKYDQEL3S3YQCZTVHE/"
        },
        {
          "name": "FEDORA-2021-880aa7bd27",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BF553AMNNNBW7SH4IM4MNE4M6GNZQ7YD/"
        },
        {
          "name": "[debian-lts-announce] 20210722 [SECURITY] [DLA 2716-1] pillow security update",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00018.html"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2020-35653",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "In Pillow before 8.1.0, PcxDecode has a buffer over-read when decoding a crafted PCX file because the user-supplied stride value is trusted for buffer calculations."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://pillow.readthedocs.io/en/stable/releasenotes/index.html",
              "refsource": "MISC",
              "url": "https://pillow.readthedocs.io/en/stable/releasenotes/index.html"
            },
            {
              "name": "FEDORA-2021-a8ddc1ce70",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6BYVI5G44MRIPERKYDQEL3S3YQCZTVHE/"
            },
            {
              "name": "FEDORA-2021-880aa7bd27",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BF553AMNNNBW7SH4IM4MNE4M6GNZQ7YD/"
            },
            {
              "name": "[debian-lts-announce] 20210722 [SECURITY] [DLA 2716-1] pillow security update",
              "refsource": "MLIST",
              "url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00018.html"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2020-35653",
    "datePublished": "2021-01-12T08:02:35.000Z",
    "dateReserved": "2020-12-23T00:00:00.000Z",
    "dateUpdated": "2024-08-04T17:09:14.596Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2020-35655 (GCVE-0-2020-35655)

Vulnerability from cvelistv5 – Published: 2021-01-12 08:08 – Updated: 2024-08-04 17:09

Summary

In Pillow before 8.1.0, SGIRleDecode has a 4-byte buffer over-read when decoding crafted SGI RLE image files because offsets and length tables are mishandled.

Severity

No CVSS data available.

CWE

Assigner

mitre

References

3 references

URL	Tags
https://pillow.readthedocs.io/en/stable/releaseno…	x_refsource_MISC
https://lists.fedoraproject.org/archives/list/pac…	vendor-advisoryx_refsource_FEDORA
https://lists.fedoraproject.org/archives/list/pac…	vendor-advisoryx_refsource_FEDORA

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T17:09:14.831Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://pillow.readthedocs.io/en/stable/releasenotes/index.html"
          },
          {
            "name": "FEDORA-2021-a8ddc1ce70",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6BYVI5G44MRIPERKYDQEL3S3YQCZTVHE/"
          },
          {
            "name": "FEDORA-2021-880aa7bd27",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BF553AMNNNBW7SH4IM4MNE4M6GNZQ7YD/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In Pillow before 8.1.0, SGIRleDecode has a 4-byte buffer over-read when decoding crafted SGI RLE image files because offsets and length tables are mishandled."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-01-24T02:06:07.000Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://pillow.readthedocs.io/en/stable/releasenotes/index.html"
        },
        {
          "name": "FEDORA-2021-a8ddc1ce70",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6BYVI5G44MRIPERKYDQEL3S3YQCZTVHE/"
        },
        {
          "name": "FEDORA-2021-880aa7bd27",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BF553AMNNNBW7SH4IM4MNE4M6GNZQ7YD/"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2020-35655",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "In Pillow before 8.1.0, SGIRleDecode has a 4-byte buffer over-read when decoding crafted SGI RLE image files because offsets and length tables are mishandled."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://pillow.readthedocs.io/en/stable/releasenotes/index.html",
              "refsource": "MISC",
              "url": "https://pillow.readthedocs.io/en/stable/releasenotes/index.html"
            },
            {
              "name": "FEDORA-2021-a8ddc1ce70",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6BYVI5G44MRIPERKYDQEL3S3YQCZTVHE/"
            },
            {
              "name": "FEDORA-2021-880aa7bd27",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BF553AMNNNBW7SH4IM4MNE4M6GNZQ7YD/"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2020-35655",
    "datePublished": "2021-01-12T08:08:47.000Z",
    "dateReserved": "2020-12-23T00:00:00.000Z",
    "dateUpdated": "2024-08-04T17:09:14.831Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2021-25287 (GCVE-0-2021-25287)

Vulnerability from cvelistv5 – Published: 2021-06-02 15:13 – Updated: 2024-08-03 19:56

Summary

An issue was discovered in Pillow before 8.2.0. There is an out-of-bounds read in J2kDecode, in j2ku_graya_la.

Severity

No CVSS data available.

CWE

Assigner

mitre

References

4 references

URL	Tags
https://pillow.readthedocs.io/en/stable/releaseno…	x_refsource_MISC
https://github.com/python-pillow/Pillow/pull/5377…	x_refsource_MISC
https://lists.fedoraproject.org/archives/list/pac…	vendor-advisoryx_refsource_FEDORA
https://security.gentoo.org/glsa/202107-33	vendor-advisoryx_refsource_GENTOO

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T19:56:11.099Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-25287-cve-2021-25288-fix-oob-read-in-jpeg2kdecode"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/python-pillow/Pillow/pull/5377#issuecomment-833821470"
          },
          {
            "name": "FEDORA-2021-77756994ba",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL/"
          },
          {
            "name": "GLSA-202107-33",
            "tags": [
              "vendor-advisory",
              "x_refsource_GENTOO",
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/202107-33"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An issue was discovered in Pillow before 8.2.0. There is an out-of-bounds read in J2kDecode, in j2ku_graya_la."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-07-15T06:07:07.000Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-25287-cve-2021-25288-fix-oob-read-in-jpeg2kdecode"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/python-pillow/Pillow/pull/5377#issuecomment-833821470"
        },
        {
          "name": "FEDORA-2021-77756994ba",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL/"
        },
        {
          "name": "GLSA-202107-33",
          "tags": [
            "vendor-advisory",
            "x_refsource_GENTOO"
          ],
          "url": "https://security.gentoo.org/glsa/202107-33"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2021-25287",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "An issue was discovered in Pillow before 8.2.0. There is an out-of-bounds read in J2kDecode, in j2ku_graya_la."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-25287-cve-2021-25288-fix-oob-read-in-jpeg2kdecode",
              "refsource": "MISC",
              "url": "https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-25287-cve-2021-25288-fix-oob-read-in-jpeg2kdecode"
            },
            {
              "name": "https://github.com/python-pillow/Pillow/pull/5377#issuecomment-833821470",
              "refsource": "MISC",
              "url": "https://github.com/python-pillow/Pillow/pull/5377#issuecomment-833821470"
            },
            {
              "name": "FEDORA-2021-77756994ba",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL/"
            },
            {
              "name": "GLSA-202107-33",
              "refsource": "GENTOO",
              "url": "https://security.gentoo.org/glsa/202107-33"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2021-25287",
    "datePublished": "2021-06-02T15:13:14.000Z",
    "dateReserved": "2021-01-17T00:00:00.000Z",
    "dateUpdated": "2024-08-03T19:56:11.099Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2021-25288 (GCVE-0-2021-25288)

Vulnerability from cvelistv5 – Published: 2021-06-02 15:13 – Updated: 2024-08-03 19:56

Summary

An issue was discovered in Pillow before 8.2.0. There is an out-of-bounds read in J2kDecode, in j2ku_gray_i.

Severity

No CVSS data available.

CWE

Assigner

mitre

References

4 references

URL	Tags
https://pillow.readthedocs.io/en/stable/releaseno…	x_refsource_MISC
https://github.com/python-pillow/Pillow/pull/5377…	x_refsource_MISC
https://lists.fedoraproject.org/archives/list/pac…	vendor-advisoryx_refsource_FEDORA
https://security.gentoo.org/glsa/202107-33	vendor-advisoryx_refsource_GENTOO

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T19:56:11.084Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-25287-cve-2021-25288-fix-oob-read-in-jpeg2kdecode"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/python-pillow/Pillow/pull/5377#issuecomment-833821470"
          },
          {
            "name": "FEDORA-2021-77756994ba",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL/"
          },
          {
            "name": "GLSA-202107-33",
            "tags": [
              "vendor-advisory",
              "x_refsource_GENTOO",
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/202107-33"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An issue was discovered in Pillow before 8.2.0. There is an out-of-bounds read in J2kDecode, in j2ku_gray_i."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-07-15T06:06:47.000Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-25287-cve-2021-25288-fix-oob-read-in-jpeg2kdecode"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/python-pillow/Pillow/pull/5377#issuecomment-833821470"
        },
        {
          "name": "FEDORA-2021-77756994ba",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL/"
        },
        {
          "name": "GLSA-202107-33",
          "tags": [
            "vendor-advisory",
            "x_refsource_GENTOO"
          ],
          "url": "https://security.gentoo.org/glsa/202107-33"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2021-25288",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "An issue was discovered in Pillow before 8.2.0. There is an out-of-bounds read in J2kDecode, in j2ku_gray_i."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-25287-cve-2021-25288-fix-oob-read-in-jpeg2kdecode",
              "refsource": "MISC",
              "url": "https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-25287-cve-2021-25288-fix-oob-read-in-jpeg2kdecode"
            },
            {
              "name": "https://github.com/python-pillow/Pillow/pull/5377#issuecomment-833821470",
              "refsource": "MISC",
              "url": "https://github.com/python-pillow/Pillow/pull/5377#issuecomment-833821470"
            },
            {
              "name": "FEDORA-2021-77756994ba",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL/"
            },
            {
              "name": "GLSA-202107-33",
              "refsource": "GENTOO",
              "url": "https://security.gentoo.org/glsa/202107-33"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2021-25288",
    "datePublished": "2021-06-02T15:13:28.000Z",
    "dateReserved": "2021-01-17T00:00:00.000Z",
    "dateUpdated": "2024-08-03T19:56:11.084Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2021-25290 (GCVE-0-2021-25290)

Vulnerability from cvelistv5 – Published: 2021-03-19 03:29 – Updated: 2024-08-03 19:56

Summary

An issue was discovered in Pillow before 8.1.1. In TiffDecode.c, there is a negative-offset memcpy with an invalid size.

Severity

No CVSS data available.

CWE

Assigner

mitre

References

3 references

URL	Tags
https://pillow.readthedocs.io/en/stable/releaseno…	x_refsource_MISC
https://security.gentoo.org/glsa/202107-33	vendor-advisoryx_refsource_GENTOO
https://lists.debian.org/debian-lts-announce/2021…	mailing-listx_refsource_MLIST

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T19:56:11.089Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html"
          },
          {
            "name": "GLSA-202107-33",
            "tags": [
              "vendor-advisory",
              "x_refsource_GENTOO",
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/202107-33"
          },
          {
            "name": "[debian-lts-announce] 20210722 [SECURITY] [DLA 2716-1] pillow security update",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00018.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An issue was discovered in Pillow before 8.1.1. In TiffDecode.c, there is a negative-offset memcpy with an invalid size."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-07-22T12:06:15.000Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html"
        },
        {
          "name": "GLSA-202107-33",
          "tags": [
            "vendor-advisory",
            "x_refsource_GENTOO"
          ],
          "url": "https://security.gentoo.org/glsa/202107-33"
        },
        {
          "name": "[debian-lts-announce] 20210722 [SECURITY] [DLA 2716-1] pillow security update",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00018.html"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2021-25290",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "An issue was discovered in Pillow before 8.1.1. In TiffDecode.c, there is a negative-offset memcpy with an invalid size."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html",
              "refsource": "MISC",
              "url": "https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html"
            },
            {
              "name": "GLSA-202107-33",
              "refsource": "GENTOO",
              "url": "https://security.gentoo.org/glsa/202107-33"
            },
            {
              "name": "[debian-lts-announce] 20210722 [SECURITY] [DLA 2716-1] pillow security update",
              "refsource": "MLIST",
              "url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00018.html"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2021-25290",
    "datePublished": "2021-03-19T03:29:57.000Z",
    "dateReserved": "2021-01-17T00:00:00.000Z",
    "dateUpdated": "2024-08-03T19:56:11.089Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2021-25292 (GCVE-0-2021-25292)

Vulnerability from cvelistv5 – Published: 2021-03-19 03:30 – Updated: 2024-08-03 19:56

Summary

An issue was discovered in Pillow before 8.1.1. The PDF parser allows a regular expression DoS (ReDoS) attack via a crafted PDF file because of a catastrophic backtracking regex.

Severity

No CVSS data available.

CWE

Assigner

mitre

References

2 references

URL	Tags
https://pillow.readthedocs.io/en/stable/releaseno…	x_refsource_MISC
https://security.gentoo.org/glsa/202107-33	vendor-advisoryx_refsource_GENTOO

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T19:56:11.180Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html"
          },
          {
            "name": "GLSA-202107-33",
            "tags": [
              "vendor-advisory",
              "x_refsource_GENTOO",
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/202107-33"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An issue was discovered in Pillow before 8.1.1. The PDF parser allows a regular expression DoS (ReDoS) attack via a crafted PDF file because of a catastrophic backtracking regex."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-07-15T06:06:49.000Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html"
        },
        {
          "name": "GLSA-202107-33",
          "tags": [
            "vendor-advisory",
            "x_refsource_GENTOO"
          ],
          "url": "https://security.gentoo.org/glsa/202107-33"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2021-25292",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "An issue was discovered in Pillow before 8.1.1. The PDF parser allows a regular expression DoS (ReDoS) attack via a crafted PDF file because of a catastrophic backtracking regex."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html",
              "refsource": "MISC",
              "url": "https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html"
            },
            {
              "name": "GLSA-202107-33",
              "refsource": "GENTOO",
              "url": "https://security.gentoo.org/glsa/202107-33"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2021-25292",
    "datePublished": "2021-03-19T03:30:39.000Z",
    "dateReserved": "2021-01-17T00:00:00.000Z",
    "dateUpdated": "2024-08-03T19:56:11.180Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2021-25293 (GCVE-0-2021-25293)

Vulnerability from cvelistv5 – Published: 2021-03-19 03:30 – Updated: 2024-08-03 19:56

Summary

An issue was discovered in Pillow before 8.1.1. There is an out-of-bounds read in SGIRleDecode.c.

Severity

No CVSS data available.

CWE

Assigner

mitre

References

2 references

URL	Tags
https://pillow.readthedocs.io/en/stable/releaseno…	x_refsource_MISC
https://security.gentoo.org/glsa/202107-33	vendor-advisoryx_refsource_GENTOO

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T19:56:11.179Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html"
          },
          {
            "name": "GLSA-202107-33",
            "tags": [
              "vendor-advisory",
              "x_refsource_GENTOO",
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/202107-33"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An issue was discovered in Pillow before 8.1.1. There is an out-of-bounds read in SGIRleDecode.c."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-07-15T06:07:12.000Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html"
        },
        {
          "name": "GLSA-202107-33",
          "tags": [
            "vendor-advisory",
            "x_refsource_GENTOO"
          ],
          "url": "https://security.gentoo.org/glsa/202107-33"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2021-25293",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "An issue was discovered in Pillow before 8.1.1. There is an out-of-bounds read in SGIRleDecode.c."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html",
              "refsource": "MISC",
              "url": "https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html"
            },
            {
              "name": "GLSA-202107-33",
              "refsource": "GENTOO",
              "url": "https://security.gentoo.org/glsa/202107-33"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2021-25293",
    "datePublished": "2021-03-19T03:30:46.000Z",
    "dateReserved": "2021-01-17T00:00:00.000Z",
    "dateUpdated": "2024-08-03T19:56:11.179Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2021-27921 (GCVE-0-2021-27921)

Vulnerability from cvelistv5 – Published: 2021-03-03 08:41 – Updated: 2025-08-15 04:41

Summary

Pillow before 8.1.2 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for a BLP container, and thus an attempted memory allocation can be very large.

Severity

No CVSS data available.

CWE

Assigner

mitre

References

9 references

URL	Tags
https://lists.fedoraproject.org/archives/list/pac…	vendor-advisory
https://lists.fedoraproject.org/archives/list/pac…	vendor-advisory
https://lists.fedoraproject.org/archives/list/pac…	vendor-advisory
https://security.gentoo.org/glsa/202107-33	vendor-advisory
https://pillow.readthedocs.io/en/stable/releaseno…
https://pillow.readthedocs.io/en/stable/releaseno…	x_refsource_MISCx_transferred
https://lists.fedoraproject.org/archives/list/pac…	vendor-advisoryx_refsource_FEDORAx_transferred
https://lists.fedoraproject.org/archives/list/pac…	vendor-advisoryx_refsource_FEDORAx_transferred
https://lists.fedoraproject.org/archives/list/pac…	vendor-advisoryx_refsource_FEDORAx_transferred

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T21:33:16.796Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html"
          },
          {
            "name": "FEDORA-2021-0ece308612",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZTSY25UJU7NJUFHH3HWT575LT4TDFWBZ/"
          },
          {
            "name": "FEDORA-2021-15845d3abe",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TQQY6472RX4J2SUJENWDZAWKTJJGP2ML/"
          },
          {
            "name": "FEDORA-2021-9016a9b7bd",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/S7G44Z33J4BNI2DPDROHWGVG2U7ZH5JU/"
          },
          {
            "name": "GLSA-202107-33",
            "tags": [
              "vendor-advisory",
              "x_refsource_GENTOO",
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/202107-33"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Pillow before 8.1.2 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for a BLP container, and thus an attempted memory allocation can be very large."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-08-15T04:41:08.640Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "name": "FEDORA-2021-0ece308612",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZTSY25UJU7NJUFHH3HWT575LT4TDFWBZ/"
        },
        {
          "name": "FEDORA-2021-15845d3abe",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TQQY6472RX4J2SUJENWDZAWKTJJGP2ML/"
        },
        {
          "name": "FEDORA-2021-9016a9b7bd",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S7G44Z33J4BNI2DPDROHWGVG2U7ZH5JU/"
        },
        {
          "name": "GLSA-202107-33",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://security.gentoo.org/glsa/202107-33"
        },
        {
          "url": "https://pillow.readthedocs.io/en/stable/releasenotes/8.1.2.html"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2021-27921",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for a BLP container, and thus an attempted memory allocation can be very large."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html",
              "refsource": "MISC",
              "url": "https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html"
            },
            {
              "name": "FEDORA-2021-0ece308612",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZTSY25UJU7NJUFHH3HWT575LT4TDFWBZ/"
            },
            {
              "name": "FEDORA-2021-15845d3abe",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TQQY6472RX4J2SUJENWDZAWKTJJGP2ML/"
            },
            {
              "name": "FEDORA-2021-9016a9b7bd",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S7G44Z33J4BNI2DPDROHWGVG2U7ZH5JU/"
            },
            {
              "name": "GLSA-202107-33",
              "refsource": "GENTOO",
              "url": "https://security.gentoo.org/glsa/202107-33"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2021-27921",
    "datePublished": "2021-03-03T08:41:57.000Z",
    "dateReserved": "2021-03-03T00:00:00.000Z",
    "dateUpdated": "2025-08-15T04:41:08.640Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2021-27922 (GCVE-0-2021-27922)

Vulnerability from cvelistv5 – Published: 2021-03-03 08:41 – Updated: 2025-08-15 04:38

Summary

Pillow before 8.1.2 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICNS container, and thus an attempted memory allocation can be very large.

Severity

No CVSS data available.

CWE

Assigner

mitre

References

9 references

URL	Tags
https://lists.fedoraproject.org/archives/list/pac…	vendor-advisory
https://lists.fedoraproject.org/archives/list/pac…	vendor-advisory
https://lists.fedoraproject.org/archives/list/pac…	vendor-advisory
https://security.gentoo.org/glsa/202107-33	vendor-advisory
https://pillow.readthedocs.io/en/stable/releaseno…
https://pillow.readthedocs.io/en/stable/releaseno…	x_refsource_MISCx_transferred
https://lists.fedoraproject.org/archives/list/pac…	vendor-advisoryx_refsource_FEDORAx_transferred
https://lists.fedoraproject.org/archives/list/pac…	vendor-advisoryx_refsource_FEDORAx_transferred
https://lists.fedoraproject.org/archives/list/pac…	vendor-advisoryx_refsource_FEDORAx_transferred

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T21:33:17.231Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html"
          },
          {
            "name": "FEDORA-2021-0ece308612",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZTSY25UJU7NJUFHH3HWT575LT4TDFWBZ/"
          },
          {
            "name": "FEDORA-2021-15845d3abe",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TQQY6472RX4J2SUJENWDZAWKTJJGP2ML/"
          },
          {
            "name": "FEDORA-2021-9016a9b7bd",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/S7G44Z33J4BNI2DPDROHWGVG2U7ZH5JU/"
          },
          {
            "name": "GLSA-202107-33",
            "tags": [
              "vendor-advisory",
              "x_refsource_GENTOO",
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/202107-33"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Pillow before 8.1.2 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICNS container, and thus an attempted memory allocation can be very large."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-08-15T04:38:49.550Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "name": "FEDORA-2021-0ece308612",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZTSY25UJU7NJUFHH3HWT575LT4TDFWBZ/"
        },
        {
          "name": "FEDORA-2021-15845d3abe",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TQQY6472RX4J2SUJENWDZAWKTJJGP2ML/"
        },
        {
          "name": "FEDORA-2021-9016a9b7bd",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S7G44Z33J4BNI2DPDROHWGVG2U7ZH5JU/"
        },
        {
          "name": "GLSA-202107-33",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://security.gentoo.org/glsa/202107-33"
        },
        {
          "url": "https://pillow.readthedocs.io/en/stable/releasenotes/8.1.2.html"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2021-27922",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICNS container, and thus an attempted memory allocation can be very large."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html",
              "refsource": "MISC",
              "url": "https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html"
            },
            {
              "name": "FEDORA-2021-0ece308612",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZTSY25UJU7NJUFHH3HWT575LT4TDFWBZ/"
            },
            {
              "name": "FEDORA-2021-15845d3abe",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TQQY6472RX4J2SUJENWDZAWKTJJGP2ML/"
            },
            {
              "name": "FEDORA-2021-9016a9b7bd",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S7G44Z33J4BNI2DPDROHWGVG2U7ZH5JU/"
            },
            {
              "name": "GLSA-202107-33",
              "refsource": "GENTOO",
              "url": "https://security.gentoo.org/glsa/202107-33"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2021-27922",
    "datePublished": "2021-03-03T08:41:50.000Z",
    "dateReserved": "2021-03-03T00:00:00.000Z",
    "dateUpdated": "2025-08-15T04:38:49.550Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2021-27923 (GCVE-0-2021-27923)

Vulnerability from cvelistv5 – Published: 2021-03-03 08:41 – Updated: 2025-08-15 04:40

Summary

Pillow before 8.1.2 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICO container, and thus an attempted memory allocation can be very large.

Severity

No CVSS data available.

CWE

Assigner

mitre

References

9 references

URL	Tags
https://lists.fedoraproject.org/archives/list/pac…	vendor-advisory
https://lists.fedoraproject.org/archives/list/pac…	vendor-advisory
https://lists.fedoraproject.org/archives/list/pac…	vendor-advisory
https://security.gentoo.org/glsa/202107-33	vendor-advisory
https://pillow.readthedocs.io/en/stable/releaseno…
https://pillow.readthedocs.io/en/stable/releaseno…	x_refsource_MISCx_transferred
https://lists.fedoraproject.org/archives/list/pac…	vendor-advisoryx_refsource_FEDORAx_transferred
https://lists.fedoraproject.org/archives/list/pac…	vendor-advisoryx_refsource_FEDORAx_transferred
https://lists.fedoraproject.org/archives/list/pac…	vendor-advisoryx_refsource_FEDORAx_transferred

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T21:33:16.870Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html"
          },
          {
            "name": "FEDORA-2021-0ece308612",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZTSY25UJU7NJUFHH3HWT575LT4TDFWBZ/"
          },
          {
            "name": "FEDORA-2021-15845d3abe",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TQQY6472RX4J2SUJENWDZAWKTJJGP2ML/"
          },
          {
            "name": "FEDORA-2021-9016a9b7bd",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/S7G44Z33J4BNI2DPDROHWGVG2U7ZH5JU/"
          },
          {
            "name": "GLSA-202107-33",
            "tags": [
              "vendor-advisory",
              "x_refsource_GENTOO",
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/202107-33"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Pillow before 8.1.2 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICO container, and thus an attempted memory allocation can be very large."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-08-15T04:40:08.382Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "name": "FEDORA-2021-0ece308612",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZTSY25UJU7NJUFHH3HWT575LT4TDFWBZ/"
        },
        {
          "name": "FEDORA-2021-15845d3abe",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TQQY6472RX4J2SUJENWDZAWKTJJGP2ML/"
        },
        {
          "name": "FEDORA-2021-9016a9b7bd",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S7G44Z33J4BNI2DPDROHWGVG2U7ZH5JU/"
        },
        {
          "name": "GLSA-202107-33",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://security.gentoo.org/glsa/202107-33"
        },
        {
          "url": "https://pillow.readthedocs.io/en/stable/releasenotes/8.1.2.html"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2021-27923",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for an ICO container, and thus an attempted memory allocation can be very large."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html",
              "refsource": "MISC",
              "url": "https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html"
            },
            {
              "name": "FEDORA-2021-0ece308612",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZTSY25UJU7NJUFHH3HWT575LT4TDFWBZ/"
            },
            {
              "name": "FEDORA-2021-15845d3abe",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TQQY6472RX4J2SUJENWDZAWKTJJGP2ML/"
            },
            {
              "name": "FEDORA-2021-9016a9b7bd",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S7G44Z33J4BNI2DPDROHWGVG2U7ZH5JU/"
            },
            {
              "name": "GLSA-202107-33",
              "refsource": "GENTOO",
              "url": "https://security.gentoo.org/glsa/202107-33"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2021-27923",
    "datePublished": "2021-03-03T08:41:40.000Z",
    "dateReserved": "2021-03-03T00:00:00.000Z",
    "dateUpdated": "2025-08-15T04:40:08.382Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

WID-SEC-W-2022-1835

CVE-2020-35653 (GCVE-0-2020-35653)

CVE-2020-35655 (GCVE-0-2020-35655)

CVE-2021-25287 (GCVE-0-2021-25287)

CVE-2021-25288 (GCVE-0-2021-25288)

CVE-2021-25290 (GCVE-0-2021-25290)

CVE-2021-25292 (GCVE-0-2021-25292)

CVE-2021-25293 (GCVE-0-2021-25293)

CVE-2021-27921 (GCVE-0-2021-27921)

CVE-2021-27922 (GCVE-0-2021-27922)

CVE-2021-27923 (GCVE-0-2021-27923)

Tags

Sightings

Nomenclature