CVE-2021-25293
Out-of-bounds Read vulnerability in pillow (PyPI)
What is CVE-2021-25293 About?
This vulnerability is an out-of-bounds read in SGIRleDecode.c within Pillow before version 8.1.1. It could lead to information disclosure or denial of service due to improper memory access. Exploitation difficulty is likely moderate, requiring crafted input to trigger the read beyond allocated buffer limits.
Affected Software
Technical Details
The vulnerability stems from an out-of-bounds read operation in the SGIRleDecode.c component of Pillow. When processing specific image files or data streams handled by the SGIRleDecode module, the application attempts to read data from a memory location that is outside the boundaries of its intended buffer. This typically occurs because of incorrect index calculations or size checks during decoding, allowing an attacker to supply malformed input that causes the read pointer to go past the end or before the beginning of an allocated memory region. Such an access could expose sensitive information from adjacent memory or crash the application, potentially leading to a denial of service.
What is the Impact of CVE-2021-25293?
Successful exploitation may allow attackers to disclose sensitive information from memory or cause the application to crash, leading to a denial of service. This unauthorized memory access could bypass security controls and compromise data integrity or system availability.
What is the Exploitability of CVE-2021-25293?
Exploitation of this vulnerability would likely involve supplying a specially crafted image file or data input that triggers the out-of-bounds read. The complexity level is moderate, as it requires specific knowledge of the SGIRleDecode.c component's inner workings and memory management. No authentication or privileged access is typically required, as the vulnerability resides in the processing of user-supplied data, making it a remote attack vector. The primary risk factor increasing likelihood is the widespread use of Pillow for image processing; successful exploitation often hinges on whether an application accepts untrusted image files. Special conditions would involve the precise manipulation of image file structures to cause the erroneous memory access.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-25293?
Available Upgrade Options
- pillow
- >=4.3.0, <8.1.1 → Upgrade to 8.1.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://osv.dev/vulnerability/GHSA-p43w-g3c5-g5mq
- https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html
- https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html
- https://nvd.nist.gov/vuln/detail/CVE-2021-25293
- https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2021-39.yaml
- https://github.com/advisories/GHSA-p43w-g3c5-g5mq
- https://github.com/python-pillow/Pillow/commit/4853e522bddbec66022c0915b9a56255d0188bf9
- https://github.com/python-pillow/Pillow/commit/f891baa604636cd2506a9360d170bc2cf4963cc5
- https://security.gentoo.org/glsa/202107-33
- https://github.com/python-pillow/Pillow
What are Similar Vulnerabilities to CVE-2021-25293?
Similar Vulnerabilities: CVE-2020-10379 , CVE-2020-10177 , CVE-2018-19605 , CVE-2019-16781 , CVE-2021-25290
