CVE-2021-28676
Infinite Loop vulnerability in pillow (PyPI)
What is CVE-2021-28676 About?
This vulnerability in Pillow before 8.2.0 involves an infinite loop when processing FLI data due to an unchecked block advance value. This can render the application unresponsive, making it easy to trigger for an attacker by supplying a malformed FLI file.
Affected Software
Technical Details
The vulnerability resides in the FliDecode function within Pillow, specifically when handling FLI image data. The function fails to properly validate the 'block advance' value, which is critical for iterating through data blocks. If a crafted FLI file provides a block advance value that is zero or leads to an invalid progression, FliDecode enters an infinite loop while attempting to ddecode the image instead of terminating or flagging an error. This consumes CPU resources, leading to a denial of service.
What is the Impact of CVE-2021-28676?
Successful exploitation may allow attackers to hang or crash applications processing FLI image files, leading to a denial of service. This can disrupt services and make the affected system unavailable until manual intervention.
What is the Exploitability of CVE-2021-28676?
Exploitation of this vulnerability is relatively straightforward and requires only remote access to the target system's image processing functionality. An attacker needs to supply a specially crafted FLI image file. No authentication or elevated privileges are necessary for successful exploitation. The primary risk factor is the application's exposure to untrusted image file uploads or processing, which increases the likelihood of a malicious FLI file being processed.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-28676?
Available Upgrade Options
- pillow
- <8.2.0 → Upgrade to 8.2.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/python-pillow/Pillow/pull/5377
- https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2021-92.yaml
- https://github.com/advisories/GHSA-7r7m-5h27-29hp
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL
- https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28676-fix-fli-dos
- https://osv.dev/vulnerability/PYSEC-2021-92
- https://github.com/python-pillow/Pillow/commit/bb6c11fb889e6c11b0ee122b828132ee763b5856
- https://lists.debian.org/debian-lts-announce/2021/07/msg00018.html
- https://security.gentoo.org/glsa/202107-33
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL
What are Similar Vulnerabilities to CVE-2021-28676?
Similar Vulnerabilities: CVE-2021-27921 , CVE-2021-28675 , CVE-2020-35653 , CVE-2016-9189 , CVE-2014-8255
