BIT-pillow-2021-25288
Out-of-bounds Read vulnerability in pillow (PyPI)
What is BIT-pillow-2021-25288 About?
This vulnerability in Pillow, dating back to version 2.4.0, involves an out-of-bounds read error in the J2kDecode component during image processing. It can lead to denial of service or information disclosure. Exploitation requires providing a specially crafted JPEG 2000 image file and is moderately complex.
Affected Software
- pillow
- <8.2.0
- >=2.4.0, <8.2.0
Technical Details
The vulnerability is an out-of-bounds read flaw located within the J2kDecode component of Pillow, specifically within the j2ku_gray_i function, which is responsible for decoding JPEG 2000 (J2K) images. An attacker can create a malformed J2K image file that, when processed by Pillow, causes the j2ku_gray_i function to attempt to read data from a memory address outside its allocated buffer. This unauthorized memory access can cause the application to crash, leading to a denial of service. Furthermore, depending on the memory layout, such an out-of-bounds read could potentially expose sensitive information from the application's memory or memory of other processes, which could be exploited for further attacks, such as bypassing Address Space Layout Randomization (ASLR).
What is the Impact of BIT-pillow-2021-25288?
Successful exploitation may allow attackers to cause application crashes, leading to a denial of service, or potentially facilitate information disclosure.
What is the Exploitability of BIT-pillow-2021-25288?
Exploitation involves a moderate level of complexity, requiring the creation of a meticulously crafted JPEG 2000 image file that triggers the specific out-of-bounds read within the j2ku_gray_i function. No authentication or elevated privileges are generally required; the attacker merely needs to be able to supply the malicious image file to an application that utilizes the vulnerable Pillow library. This can be a remote vulnerability if the application processes external image uploads or displays dynamically generated image content. The primary prerequisite is the target system's use of a vulnerable Pillow version and its interaction with untrusted J2K files. Systems that process user-generated or external image data are particularly exposed to this risk.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for BIT-pillow-2021-25288?
Available Upgrade Options
- pillow
- >=2.4.0, <8.2.0 → Upgrade to 8.2.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL/
- https://nvd.nist.gov/vuln/detail/CVE-2021-25288
- https://github.com/advisories/GHSA-rwv7-3v45-hg29
- https://github.com/python-pillow/Pillow/commit/3bf5eddb89afdf690eceaa52bc4d3546ba9a5f87
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL/
- https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2021-138.yaml
- https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-25287-cve-2021-25288-fix-oob-read-in-jpeg2kdecode
- https://osv.dev/vulnerability/PYSEC-2021-138
- https://github.com/python-pillow/Pillow/pull/5377#issuecomment-833821470
What are Similar Vulnerabilities to BIT-pillow-2021-25288?
Similar Vulnerabilities: CVE-2021-25287 , CVE-2020-10378 , CVE-2020-10994 , CVE-2018-19702 , CVE-2019-1010080
