CVE-2021-28678 (Medium) detected in Pillow-6.2.2-cp27-cp27mu-manylinux1_x86_64.whl

Question

CVE-2021-28678 (Medium) detected in Pillow-6.2.2-cp27-cp27mu-manylinux1_x86_64.whl

Opened this issue 3 years ago · 0 comments

mend-bolt-for-github commented 3 years ago

CVE-2021-28678 - Medium Severity Vulnerability

Vulnerable Library - Pillow-6.2.2-cp27-cp27mu-manylinux1_x86_64.whl

Python Imaging Library (Fork)

Library home page: https://files.pythonhosted.org/packages/12/ad/61f8dfba88c4e56196bf6d056cdbba64dc9c5dfdfbc97d02e6472feed913/Pillow-6.2.2-cp27-cp27mu-manylinux1_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt,/backend/requirements.txt

Dependency Hierarchy:

streamlit-0.55.2-py2.py3-none-any.whl (Root Library)
- ❌ Pillow-6.2.2-cp27-cp27mu-manylinux1_x86_64.whl (Vulnerable Library)

Found in base branch: main

Vulnerability Details

An issue was discovered in Pillow before 8.2.0. For BLP data, BlpImagePlugin did not properly check that reads (after jumping to file offsets) returned data. This could lead to a DoS where the decoder could be run a large number of times on empty data.

Publish Date: 2021-06-02

URL: CVE-2021-28678

CVSS 3 Score Details (5.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28678

Release Date: 2021-06-02

Fix Resolution (pillow): 8.3.0

Direct dependency fix Resolution (streamlit): 0.56.0

Step up your Open Source Security Game with Mend here