CVE-2024-28219
Buffer Overflow vulnerability in pillow (PyPI)
What is CVE-2024-28219 About?
This vulnerability is a buffer overflow in Pillow before version 10.3.0, specifically in `imagingcms.c`. It occurs due to the insecure use of `strcpy` instead of `strncpy`, allowing an attacker to write beyond the bounds of a buffer. Exploitation could lead to denial of service or potentially arbitrary code execution, and its ease depends on whether controlled input can trigger the overflow.
Affected Software
Technical Details
The buffer overflow exists within the imagingcms.c file in Pillow. The root cause is the use of the strcpy function, which does not perform bounds checking and copies characters from a source string until a null terminator is encountered. If the source string, potentially influenced by attacker-controlled input, is larger than the allocated buffer, strcpy will write past the end of the buffer, corrupting adjacent memory. This memory corruption can lead to application crashes (denial of service), or, under specific circumstances, allow an attacker to inject and execute arbitrary code by overwriting critical program control data structures like function pointers or return addresses on the stack or heap.
What is the Impact of CVE-2024-28219?
Successful exploitation may allow attackers to cause a denial of service (application crash) or, in more severe cases, achieve arbitrary code execution, potentially compromising the system where Pillow is being used.
What is the Exploitability of CVE-2024-28219?
Exploitation complexity can range from medium to high, depending on the ability to reliably control the size and content of the overflowing data to achieve more than just a crash. Prerequisites include an application processing untrusted image data using Pillow versions prior to 10.3.0. Authentication might not be required if the vulnerable component processes images from unauthenticated sources. No special privileges are typically needed for the attacker to supply a malformed image. This can be exploited remotely if the application accepts image uploads or processes image data from remote sources. Exploitation likelihood increases if the application extensively processes various image formats from untrusted origins.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2024-28219?
Available Upgrade Options
- pillow
- <10.3.0 → Upgrade to 10.3.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://pillow.readthedocs.io/en/stable/releasenotes/10.3.0.html#security
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4XLPUT3VK4GQ6EVY525TT2QNUIXNRU5M
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4XLPUT3VK4GQ6EVY525TT2QNUIXNRU5M/
- https://github.com/python-pillow/Pillow/commit/2a93aba5cfcf6e241ab4f9392c13e3b74032c061
- https://osv.dev/vulnerability/GHSA-44wm-f244-xhp3
- https://github.com/python-pillow/Pillow
- https://nvd.nist.gov/vuln/detail/CVE-2024-28219
- https://lists.debian.org/debian-lts-announce/2024/04/msg00008.html
- https://pillow.readthedocs.io/en/stable/releasenotes/10.3.0.html#security
- https://lists.debian.org/debian-lts-announce/2024/04/msg00008.html
What are Similar Vulnerabilities to CVE-2024-28219?
Similar Vulnerabilities: CVE-2023-38634 , CVE-2022-24795 , CVE-2021-39212 , CVE-2020-17523 , CVE-2019-15029
