CVE-2020-10994
Out-of-bounds Read vulnerability in pillow (PyPI)
What is CVE-2020-10994 About?
Multiple out-of-bounds read vulnerabilities exist in Pillow's `libImaging/Jpeg2KDecode.c` when processing crafted JP2 files. These flaws can lead to application crashes (denial of service) or potentially information disclosure. Exploitation requires providing specifically malformed JP2 images and is moderately complex.
Affected Software
- pillow
- <7.1.0
- <7.0.0
Technical Details
The vulnerability is present in the libImaging/Jpeg2KDecode.c component of Pillow, which is responsible for decoding JPEG 2000 (JP2) image files. An attacker can create a specially malformed JP2 file that, when processed by Pillow, triggers multiple instances of 'out-of-bounds reads'. This means the decoder attempts to access memory locations beyond the boundaries of designated buffers. Such operations can corrupt memory, leading to application crashes and a denial of service. Additionally, reading from arbitrary memory locations can result in the leakage of sensitive data or memory addresses, which could be used to bypass mitigations like ASLR and facilitate further, more severe exploitation such as arbitrary code execution.
What is the Impact of CVE-2020-10994?
Successful exploitation may allow attackers to cause application crashes, resulting in a denial of service, or potentially lead to information disclosure facilitating further attacks.
What is the Exploitability of CVE-2020-10994?
Exploitation involves a moderate level of complexity, as it requires the careful crafting of a malicious JP2 image file to trigger the specific out-of-bounds read conditions. No authentication or elevated privileges are required. This vulnerability can be exploited remotely if the target application processes untrusted JP2 image files, for instance, via image upload forms or through displaying external dynamic content. The crucial prerequisite is that the system uses a vulnerable version of Pillow and processes JP2 images from untrusted sources. Risk increases when image processing happens on critical infrastructure or when user-supplied images are not rigorously validated.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2020-10994?
Available Upgrade Options
- pillow
- <7.0.0 → Upgrade to 7.0.0
- pillow
- <7.1.0 → Upgrade to 7.1.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/python-pillow/Pillow/pull/4505
- https://usn.ubuntu.com/4430-1
- https://pillow.readthedocs.io/en/stable/releasenotes/
- https://nvd.nist.gov/vuln/detail/CVE-2020-10994
- https://github.com/python-pillow/Pillow/commits/master/src/libImaging
- https://usn.ubuntu.com/4430-1/
- https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2020-79.yaml
- https://github.com/python-pillow/Pillow/commits/master/src/libImaging/
- https://pillow.readthedocs.io/en/stable/releasenotes/7.1.0.html
- https://github.com/python-pillow/Pillow/commit/ff60894d697d1992147b791101ad53a8bf1352e4
What are Similar Vulnerabilities to CVE-2020-10994?
Similar Vulnerabilities: CVE-2021-25287 , CVE-2020-10378 , CVE-2021-25288 , CVE-2018-19702 , CVE-2019-1010080
