BIT-pillow-2021-28678
Denial of Service vulnerability in pillow (PyPI)
What is BIT-pillow-2021-28678 About?
This is a Denial of Service vulnerability in Pillow before 8.2.0, affecting BLP data processing in `BlpImagePlugin`. It occurs because the plugin did not properly check for returned data after jumping to file offsets, leading to repeated processing of empty data. Attackers can exploit this with a crafted BLP file, causing a denial of service through excessive computation.
Affected Software
- pillow
- <8.2.0
- >=5.1.0, <8.2.0
Technical Details
The vulnerability is a Denial of Service in Pillow, specifically affecting versions prior to 8.2.0, within the BlpImagePlugin component when handling BLP data. The core issue lies in the decoder's logic: after seeking to various file offsets within a BLP image, BlpImagePlugin fails to adequately verify that actual data was successfully read. An attacker can craft a BLP file where certain data offsets point to regions that yield no data or empty data when read. The decoder repeatedly attempts to process this 'empty' or non-existent data, entering a loop that consumes excessive CPU resources without making progress. This leads to a denial of service as the application becomes unresponsive due to the CPU-intensive, fruitless decoding attempts.
What is the Impact of BIT-pillow-2021-28678?
Successful exploitation may allow attackers to disrupt the availability of the affected system or application, leading to a denial of service by consuming excessive CPU resources or crashing the application.
What is the Exploitability of BIT-pillow-2021-28678?
Exploitation of this vulnerability requires providing a specially crafted BLP image file. The complexity is medium, involving a detailed understanding of the BLP file format and the BlpImagePlugin's parsing logic to create a file that causes the 'empty data' processing loop. There are no explicit authentication or privilege requirements; any user capable of supplying a BLP image file to the target application can trigger this vulnerability. This is typically a remote attack vector if the application processes user-uploaded images, or local if a malicious process directly interacts with the library. The primary prerequisite is the ability to submit a maliciously constructed BLP file for processing.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for BIT-pillow-2021-28678?
About the Fix from Resolved Security
Available Upgrade Options
- pillow
- >=5.1.0, <8.2.0 → Upgrade to 8.2.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://nvd.nist.gov/vuln/detail/CVE-2021-28678
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL/
- https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2021-94.yaml
- https://github.com/advisories/GHSA-hjfx-8p6c-g7gx
- https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28678-fix-blp-dos
- https://github.com/python-pillow/Pillow/pull/5377/commits/496245aa4365d0827390bd0b6fbd11287453b3a1
- https://github.com/python-pillow/Pillow/pull/5377
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL/
- https://github.com/python-pillow/Pillow/pull/5377
What are Similar Vulnerabilities to BIT-pillow-2021-28678?
Similar Vulnerabilities: CVE-2021-27923 , GHSA-jgpv-4h4c-xhw3 , CVE-2021-25291 , CVE-2022-22816 , CVE-2020-11538
