CVE-2021-27923
Denial of Service vulnerability in pillow (PyPI)
What is CVE-2021-27923 About?
This is a Denial of Service vulnerability in Pillow before version 8.1.1, caused by improper checking of the reported size of a contained image within an ICO container. Attackers can exploit this by providing a crafted ICO file, leading to very large memory allocations and resource exhaustion. Exploitation is relatively easy with a specially crafted file.
Affected Software
- pillow
- <8.1.2
- <8.1.1
Technical Details
The vulnerability is a Denial of Service in Pillow, affecting versions prior to 8.1.1. It occurs during the processing of ICO image files. Specifically, when Pillow attempts to parse an ICO container, it does not adequately validate the reported size of the contained images within the file header. An attacker can craft a malicious ICO file that declares an extraordinarily large image size, leading Pillow to attempt a massive memory allocation. This large allocation can exhaust system memory, cause the application to crash, or significantly degrade performance, effectively leading to a denial of service.
What is the Impact of CVE-2021-27923?
Successful exploitation may allow attackers to disrupt the availability of the affected system or application, leading to a denial of service by exhausting system memory or crashing the application.
What is the Exploitability of CVE-2021-27923?
Exploitation of this vulnerability involves supplying a specially crafted ICO image file to an application that uses the vulnerable Pillow library. The complexity for an attacker is low to medium, as it primarily requires creating a malformed ICO file with an exaggerated image size. No specific authentication or privilege is required beyond the ability to upload or provide an ICO file to the target application. This is typically a remote attack vector if the application processes user-uploaded images, or local if a malicious process feeds such a file to an image-processing component. The main prerequisite is the ability to submit an ICO file for processing.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-27923?
About the Fix from Resolved Security
Available Upgrade Options
- pillow
- <8.1.1 → Upgrade to 8.1.1
- pillow
- <8.1.2 → Upgrade to 8.1.2
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/S7G44Z33J4BNI2DPDROHWGVG2U7ZH5JU
- https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TQQY6472RX4J2SUJENWDZAWKTJJGP2ML/
- https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2021-42.yaml
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TQQY6472RX4J2SUJENWDZAWKTJJGP2ML/
- https://nvd.nist.gov/vuln/detail/CVE-2021-27923
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/S7G44Z33J4BNI2DPDROHWGVG2U7ZH5JU/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZTSY25UJU7NJUFHH3HWT575LT4TDFWBZ/
- https://pillow.readthedocs.io/en/stable/releasenotes/8.1.2.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S7G44Z33J4BNI2DPDROHWGVG2U7ZH5JU/
What are Similar Vulnerabilities to CVE-2021-27923?
Similar Vulnerabilities: GHSA-jgpv-4h4c-xhw3 , CVE-2021-28678 , CVE-2021-25291 , CVE-2022-22816 , CVE-2020-11538
