CVE-2021-23437
Regular Expression Denial of Service (ReDoS) vulnerability in pillow (PyPI)
What is CVE-2021-23437 About?
This is a Regular Expression Denial of Service (ReDoS) vulnerability affecting the Pillow library versions 5.2.0 and before 8.3.2. It can be triggered via the `getrgb` function with crafted input, leading to excessive resource consumption and a denial of service. Its exploitation is relatively straightforward if malicious input can reach the function.
Affected Software
- pillow
- >=5.2.0, <8.3.2
- <9e08eb8f78fdfd2f476e1b20b7cf38683754866b
- <8.3.2
Technical Details
The vulnerability exists in the getrgb function within the Pillow library, specifically in versions 5.2.0 and prior to 8.3.2. It is a Regular Expression Denial of Service (ReDoS) vulnerability. When the getrgb function processes a string, it uses a regular expression to parse color definitions. An attacker can craft a specific input string that, when matched against this regex, causes catastrophic backtracking. This results in the regex engine consuming an inordinate amount of CPU cycles and memory to evaluate the match, leading to a denial of service for the application or system using the vulnerable Pillow function.
What is the Impact of CVE-2021-23437?
Successful exploitation may allow attackers to disrupt the availability of the affected system or application, leading to a denial of service where the system becomes unresponsive or crashes.
What is the Exploitability of CVE-2021-23437?
Exploiting this ReDoS vulnerability involves providing carefully crafted input to the getrgb function. The complexity is considered low to moderate, depending on how easily an attacker can control the input to getrgb. There are no explicit authentication or privilege requirements. If an application uses Pillow's getrgb function to process user-supplied color strings, it could be vulnerable to remote exploitation. Local exploitation is also possible if a malicious application passes crafted data. The primary condition for exploitation is the ability to inject malicious strings that will be processed by the vulnerable function.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-23437?
About the Fix from Resolved Security
Available Upgrade Options
- pillow
- <9e08eb8f78fdfd2f476e1b20b7cf38683754866b → Upgrade to 9e08eb8f78fdfd2f476e1b20b7cf38683754866b
- pillow
- <8.3.2 → Upgrade to 8.3.2
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://osv.dev/vulnerability/PYSEC-2021-317
- https://lists.debian.org/debian-lts-announce/2024/03/msg00021.html
- https://security.gentoo.org/glsa/202211-10
- https://github.com/python-pillow/Pillow/commit/9e08eb8f78fdfd2f476e1b20b7cf38683754866b
- https://pillow.readthedocs.io/en/stable/releasenotes/8.3.2.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RNSG6VFXTAROGF7ACYLMAZNQV4EJ6I2C
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RNSG6VFXTAROGF7ACYLMAZNQV4EJ6I2C/
- https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2021-317.yaml
- https://nvd.nist.gov/vuln/detail/CVE-2021-23437
- https://github.com/python-pillow/Pillow/commit/9e08eb8f78fdfd2f476e1b20b7cf38683754866b
What are Similar Vulnerabilities to CVE-2021-23437?
Similar Vulnerabilities: CVE-2020-29651 , CVE-2021-29063 , CVE-2021-25292 , CVE-2022-24706 , CVE-2021-4122
