GHSA-hjfx-8p6c-g7gx

Suggest an improvement
Source
https://github.com/advisories/GHSA-hjfx-8p6c-g7gx
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-hjfx-8p6c-g7gx/GHSA-hjfx-8p6c-g7gx.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-hjfx-8p6c-g7gx
Aliases
Published
2021-06-08T18:49:20Z
Modified
2024-10-14T21:48:01.061332Z
Severity
  • 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVSS Calculator
  • 6.8 (Medium) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
Insufficient Verification of Data Authenticity in Pillow
Details

An issue was discovered in Pillow before 8.2.0. For BLP data, BlpImagePlugin did not properly check that reads (after jumping to file offsets) returned data. This could lead to a DoS where the decoder could be run a large number of times on empty data.

References

Affected packages

PyPI / pillow

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.1.0
Fixed
8.2.0

Affected versions

5.*

5.1.0
5.2.0
5.3.0
5.4.0.dev0
5.4.0
5.4.1

6.*

6.0.0
6.1.0
6.2.0
6.2.1
6.2.2

7.*

7.0.0
7.1.0
7.1.1
7.1.2
7.2.0

8.*

8.0.0
8.0.1
8.1.0
8.1.1
8.1.2