CVE-2021-27921
Denial of Service vulnerability in pillow (PyPI)
What is CVE-2021-27921 About?
Pillow before 8.1.2 is vulnerable to a denial of service caused by excessive memory consumption when processing BLP container files. This flaw occurs because the reported size of a contained image is unchecked, allowing an attacker to easily exhaust system resources with a crafted file.
Affected Software
- pillow
- <8.1.2
- <8.1.1
Technical Details
The vulnerability exists when Pillow processes BLP (Blizzard Texture) image container files. The internal logic that handles BLP files does not properly validate the reported size of an image contained within the BLP wrapper. An attacker can craft a BLP file that falsely claims an extremely large image size. When Pillow attempts to allocate memory based on this untrusted reported size, it leads to an excessively large memory allocation request. This large allocation can exhaust system memory, causing the application or the entire system to crash or become unresponsive, resulting in a denial of service.
What is the Impact of CVE-2021-27921?
Successful exploitation may allow attackers to cause a denial of service by consuming excessive memory resources, leading to application crashes or system instability. This can disrupt service availability and require manual intervention to restore normal operations.
What is the Exploitability of CVE-2021-27921?
Exploitation is relatively straightforward, requiring remote access if the application processes untrusted files, or local access to supply a crafted BLP file. An attacker needs to provide a maliciously crafted BLP image that specifies an enormous image size. No specific authentication or elevated privileges are required as the vulnerability is triggered during the image decoding process. The primary risk factor is the exposure of the application to external, untrusted BLP image uploads or processing, which can easily lead to memory exhaustion.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-27921?
About the Fix from Resolved Security
Available Upgrade Options
- pillow
- <8.1.1 → Upgrade to 8.1.1
- pillow
- <8.1.2 → Upgrade to 8.1.2
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/S7G44Z33J4BNI2DPDROHWGVG2U7ZH5JU
- https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TQQY6472RX4J2SUJENWDZAWKTJJGP2ML/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TQQY6472RX4J2SUJENWDZAWKTJJGP2ML/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/S7G44Z33J4BNI2DPDROHWGVG2U7ZH5JU/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZTSY25UJU7NJUFHH3HWT575LT4TDFWBZ/
- https://pillow.readthedocs.io/en/stable/releasenotes/8.1.2.html
- https://github.com/advisories/GHSA-f4w8-cv6p-x6r5
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S7G44Z33J4BNI2DPDROHWGVG2U7ZH5JU/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S7G44Z33J4BNI2DPDROHWGVG2U7ZH5JU
What are Similar Vulnerabilities to CVE-2021-27921?
Similar Vulnerabilities: CVE-2021-28675 , CVE-2020-35653 , CVE-2021-28676 , CVE-2016-9189 , CVE-2014-8255
