CVE-2021-28677
Denial of Service vulnerability in pillow (PyPI)
What is CVE-2021-28677 About?
This vulnerability in Pillow before 8.2.0 for EPS data involves an accidentally quadratic `readline` implementation, causing a DoS. A malicious EPS file can exploit this during the open phase, making it easy to cause service unavailability. Successful exploitation leads to a denial of service.
Affected Software
Technical Details
The vulnerability relates to the readline implementation used by EPSImageFile when processing EPS data in Pillow. This implementation exhibits quadratic time complexity ('accidentally quadratic') when handling various combinations of carriage return (\r) and newline (\n) as line endings. A malicious EPS file can be crafted with specific line ending patterns that force the readline function to execute in a computationally expensive manner. This excessive processing occurs during the initial 'open phase' of the EPS file, before the image data is fully accepted. By causing this quadratic processing, an attacker can consume an inordinate amount of CPU resources, leading to a denial-of-service (DoS) condition for the application or server attempting to open the malicious EPS file.
What is the Impact of CVE-2021-28677?
Successful exploitation may allow attackers to perform a denial-of-service attack, making the application or service unresponsive by consuming excessive computational resources.
What is the Exploitability of CVE-2021-28677?
Exploitation is relatively straightforward, involving the creation of a specifically formatted EPS file that triggers the quadratic readline behavior. The complexity is low to moderate, as it primarily requires manipulating line endings within an EPS file structure. No authentication or elevated privileges are necessary; therefore, it's a remote attack vector if a system processes untrusted EPS files. The primary risk factor is the automatic or user-initiated processing of untrusted EPS images. Special conditions include ensuring the EPS file contains a pattern of line endings that maximizes the inefficient processing path, causing the DoS before the image is even fully loaded. Since it occurs during the 'open phase', the impact is immediate and can prevent any further image processing.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-28677?
About the Fix from Resolved Security
Available Upgrade Options
- pillow
- <8.2.0 → Upgrade to 8.2.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL/
- https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2021-93.yaml
- https://github.com/advisories/GHSA-q5hq-fp76-qmrc
- https://osv.dev/vulnerability/GHSA-q5hq-fp76-qmrc
- https://github.com/python-pillow/Pillow/pull/5377
- https://nvd.nist.gov/vuln/detail/CVE-2021-28677
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL/
- https://lists.debian.org/debian-lts-announce/2021/07/msg00018.html
- https://security.gentoo.org/glsa/202107-33
What are Similar Vulnerabilities to CVE-2021-28677?
Similar Vulnerabilities: CVE-2017-1000499 , CVE-2018-1000880 , CVE-2020-15367 , CVE-2019-14493 , CVE-2020-27823
