CVE-2021-28675
Denial of Service vulnerability in pillow (PyPI)
What is CVE-2021-28675 About?
Pillow before 8.2.0 has a denial-of-service vulnerability in `PSDImagePlugin.PsdImageFile` due to a missing sanity check on the number of input layers. This can cause the application to become unresponsive by consuming excessive resources, making it easy to exploit with a malformed PSD file.
Affected Software
Technical Details
The vulnerability resides in the PSDImagePlugin.PsdImageFile component of Pillow. When processing a PSD (Photoshop Document) file, the component fails to perform an adequate sanity check on the reported number of layers relative to the size of the provided data block in the file. An attacker can craft a PSD file that declares an exceptionally large number of layers without allocating corresponding data. When Image.open is called followed by Image.load, Pillow attempts to process this illogical number of layers, leading to excessive memory allocation or computational resource consumption, ultimately causing a denial of service (DoS) before the file is fully loaded.
What is the Impact of CVE-2021-28675?
Successful exploitation may allow attackers to hang or crash applications processing PSD image files, leading to a denial of service. This can disrupt services and make the affected system unavailable until manual intervention.
What is the Exploitability of CVE-2021-28675?
Exploitation is relatively straightforward and requires only remote access to the target system's image processing functionality. An attacker needs to supply a specially crafted PSD image file. No authentication or elevated privileges are necessary for successful exploitation. The primary risk factor is the application's exposure to untrusted image file uploads or processing, as this increases the likelihood of a malicious PSD file being processed.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-28675?
About the Fix from Resolved Security
Available Upgrade Options
- pillow
- <8.2.0 → Upgrade to 8.2.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://nvd.nist.gov/vuln/detail/CVE-2021-28675
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL/
- https://security.gentoo.org/glsa/202107-33
- https://github.com/advisories/GHSA-g6rj-rv7j-xwp4
- https://osv.dev/vulnerability/GHSA-g6rj-rv7j-xwp4
- https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2021-139.yaml
- https://security.gentoo.org/glsa/202107-33
- https://github.com/python-pillow/Pillow
What are Similar Vulnerabilities to CVE-2021-28675?
Similar Vulnerabilities: CVE-2021-27921 , CVE-2021-28676 , CVE-2020-35653 , CVE-2016-9189 , CVE-2014-8255
