CVE-2021-25287
Out-of-bounds Read vulnerability in pillow (PyPI)
What is CVE-2021-25287 About?
This Pillow vulnerability involves an out-of-bounds read error occurring in the J2kDecode component when processing certain image files. Such errors can lead to information disclosure, denial of service, or potentially arbitrary code execution. Exploiting this vulnerability requires crafting a malicious image file and is of moderate difficulty.
Affected Software
- pillow
- <8.2.0
- >=2.4.0, <8.2.0
Technical Details
The vulnerability exists within the J2kDecode module, specifically within the j2ku_graya_la function responsible for decoding JPEG 2000 (J2K) images. An attacker can craft a malformed J2K image file that, when processed by Pillow, causes the j2ku_graya_la function to attempt to read data from a memory location outside the bounds of the allocated buffer. This 'out-of-bounds read' can result in the program accessing arbitrary memory, potentially leading to crashes (denial of service), leakage of sensitive information from memory, or, in more complex scenarios, could be leveraged as part of a larger exploit chain to achieve arbitrary code execution by bypassing ASLR or leaking pointers.
What is the Impact of CVE-2021-25287?
Successful exploitation may allow attackers to cause application crashes, leading to denial of service, or potentially facilitate information disclosure or arbitrary code execution.
What is the Exploitability of CVE-2021-25287?
Exploitation involves a moderate level of complexity, as it requires careful crafting of a malicious JPEG 2000 image file. No specific authentication or elevated privileges are typically required; the attacker only needs to be able to supply the crafted image to an application using the vulnerable Pillow library. The vulnerability can be exploited remotely if the target application processes untrusted image files, such as image upload features. Special conditions include the need for a precise malformation of the J2K header or data to trigger the specific out-of-bounds read within j2ku_graya_la. The risk is elevated in systems that handle user-supplied image data or are exposed to external image processing without proper validation.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-25287?
Available Upgrade Options
- pillow
- >=2.4.0, <8.2.0 → Upgrade to 8.2.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2021-137.yaml
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL
- https://osv.dev/vulnerability/GHSA-77gc-v2xv-rvvh
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL/
- https://github.com/advisories/GHSA-77gc-v2xv-rvvh
- https://github.com/python-pillow/Pillow/pull/5377/commits/3bf5eddb89afdf690eceaa52bc4d3546ba9a5f87
- https://nvd.nist.gov/vuln/detail/CVE-2021-25287
- https://github.com/python-pillow/Pillow/commit/3bf5eddb89afdf690eceaa52bc4d3546ba9a5f87
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL/
- https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-25287-cve-2021-25288-fix-oob-read-in-jpeg2kdecode
What are Similar Vulnerabilities to CVE-2021-25287?
Similar Vulnerabilities: CVE-2020-10378 , CVE-2021-25288 , CVE-2020-10994 , CVE-2019-1010080 , CVE-2018-19702
