CVE-2021-25291
Out-of-bounds Read vulnerability in pillow (PyPI)
What is CVE-2021-25291 About?
This is an Out-of-bounds Read vulnerability in Pillow before 8.2.0, specifically in `TiffDecode.c`. It occurs during `TiffreadRGBATile` processing due to invalid tile boundaries, potentially leading to information disclosure or denial of service. Exploitation requires providing a malformed TIFF image.
Affected Software
- pillow
- <8.2.0
- <8.1.1
Technical Details
The vulnerability is an out-of-bounds read found in TiffDecode.c within the Pillow library, affecting versions prior to 8.2.0. When parsing a TIFF image, the TiffreadRGBATile function is responsible for reading image tile data. Due to an error in validating tile boundaries, the function attempts to read data from memory locations beyond the allocated buffer for the TIFF tile. This improper memory access can lead to a program crash (denial of service) or, in certain circumstances, allow an attacker to read sensitive information residing in adjacent memory regions if they can control the memory layout.
What is the Impact of CVE-2021-25291?
Successful exploitation may allow attackers to cause a denial of service by crashing the application, or potentially lead to information disclosure by reading sensitive data from adjacent memory locations.
What is the Exploitability of CVE-2021-25291?
Exploitation of this vulnerability requires crafting a TIFF image file with invalid tile boundary information. The complexity is medium, as it involves understanding the TIFF file format and how TiffreadRGBATile processes it. There are no explicit authentication or privilege requirements. An attacker would need to provide the malformed TIFF image to an application using Pillow. This could be a remote attack if the application processes untrusted image file uploads, or a local attack if a malicious application directly interacts with the library. The main prerequisite is the ability to submit a maliciously constructed TIFF file for processing.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-25291?
Available Upgrade Options
- pillow
- <8.1.1 → Upgrade to 8.1.1
- pillow
- <8.2.0 → Upgrade to 8.2.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/python-pillow/Pillow/commit/8b8076bdcb3815be0ef0d279651d8d1342b8ea61
- https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html
- https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html
- https://osv.dev/vulnerability/PYSEC-2021-37
- https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2021-37.yaml
- https://github.com/python-pillow/Pillow/commit/cbdce6c5d054fccaf4af34b47f212355c64ace7a
- https://github.com/advisories/GHSA-mvg9-xffr-p774
- https://nvd.nist.gov/vuln/detail/CVE-2021-25291
- https://security.gentoo.org/glsa/202107-33
- https://github.com/python-pillow/Pillow
What are Similar Vulnerabilities to CVE-2021-25291?
Similar Vulnerabilities: CVE-2020-11538 , CVE-2022-22816 , CVE-2021-27923 , CVE-2022-22817 , CVE-2022-22815
