CVE-2021-27922
Denial of Service vulnerability in pillow (PyPI)
What is CVE-2021-27922 About?
This vulnerability in Pillow allows attackers to cause a denial of service through excessive memory consumption. It occurs due to improper size checking of images within ICNS containers, leading to potentially large memory allocations. Exploitation is relatively easy as it primarily requires providing a specially crafted image file.
Affected Software
- pillow
- <8.1.2
- <8.1.1
Technical Details
The vulnerability lies within Pillow's handling of ICNS (Apple Icon Image) container files. Specifically, when Pillow processes an ICNS container, it fails to properly validate or check the reported size of embedded images. An attacker can craft an ICNS file that declares an extraordinarily large size for an internal image, which Pillow will then attempt to allocate memory for. This attempted allocation of a very large chunk of memory can exhaust system resources, leading to a denial of service condition for the application or system processing the malicious file.
What is the Impact of CVE-2021-27922?
Successful exploitation may allow attackers to disrupt the availability of the target system or application by consuming excessive memory resources, leading to system instability or crashes.
What is the Exploitability of CVE-2021-27922?
Exploitation generally involves a low level of complexity and does not require authentication or elevated privileges. Attackers typically need to provide a malformed ICNS file to an application that processes images using Pillow. This can often be done remotely if the application accepts image uploads or displays user-supplied image content. The primary prerequisite is the target system's use of a vulnerable version of Pillow and its interaction with untrusted ICNS files. The likelihood of exploitation increases if Pillow is used in a server-side application that handles user-uploaded images without robust input validation.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-27922?
About the Fix from Resolved Security
Available Upgrade Options
- pillow
- <8.1.1 → Upgrade to 8.1.1
- pillow
- <8.1.2 → Upgrade to 8.1.2
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/S7G44Z33J4BNI2DPDROHWGVG2U7ZH5JU
- https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TQQY6472RX4J2SUJENWDZAWKTJJGP2ML/
- https://nvd.nist.gov/vuln/detail/CVE-2021-27922
- https://github.com/advisories/GHSA-3wvg-mj6g-m9cv
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TQQY6472RX4J2SUJENWDZAWKTJJGP2ML/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/S7G44Z33J4BNI2DPDROHWGVG2U7ZH5JU/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZTSY25UJU7NJUFHH3HWT575LT4TDFWBZ/
- https://pillow.readthedocs.io/en/stable/releasenotes/8.1.2.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S7G44Z33J4BNI2DPDROHWGVG2U7ZH5JU/
What are Similar Vulnerabilities to CVE-2021-27922?
Similar Vulnerabilities: CVE-2022-29217 , CVE-2021-25287 , CVE-2020-10378 , CVE-2020-35655 , CVE-2022-45198
