CyberSec.Space Logo
Back to CVE Browser

CVE-2021-34552

CRITICAL
9.8
CVSS Severity Score
EPSS Score0.1490%
EPSS Percentile43.06th
PublishedJul 13, 2021
Last ModifiedNov 21, 2024

Vulnerability Description

Pillow through 8.2.0 and PIL (aka Python Imaging Library) through 1.1.7 allow an attacker to pass controlled parameters directly into a convert function to trigger a buffer overflow in Convert.c.

Affected Platforms (CPE)

πŸ“¦
Python

Pillow

>= 1.0 and <= 1.1.7
πŸ“¦
Python

Pillow

>= 1.2 and <= 8.2.0
πŸ’»
Debian

Debian Linux

= 9.0
πŸ’»
Fedoraproject

Fedora

= 33
πŸ’»
Fedoraproject

Fedora

= 34

References & Advisories

πŸ”— https://lists.debian.org/debian-lts-announce/2021/07/msg00018.html
πŸ”— https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7V6LCG525ARIX6LX5QRYNAWVDD2MD2SV/
πŸ”— https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VUGBBT63VL7G4JNOEIPDJIOC34ZFBKNJ/
πŸ”— https://pillow.readthedocs.io/en/stable/releasenotes/8.3.0.html#buffer-overflow
πŸ”— https://pillow.readthedocs.io/en/stable/releasenotes/index.html
πŸ”— https://security.gentoo.org/glsa/202211-10
πŸ”— https://lists.debian.org/debian-lts-announce/2021/07/msg00018.html
πŸ”— https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7V6LCG525ARIX6LX5QRYNAWVDD2MD2SV/

Related Vulnerabilities

CVE-2014-300710.0

Python Image Library (PIL) 1.1.7 and earlier and Pillow 2.3 might allow remote attackers to execute arbitrary commands via shell m...

CVE-2021-252899.8

An issue was discovered in Pillow before 8.1.1. TiffDecode has a heap-based buffer overflow when decoding crafted YCbCr files beca...

CVE-2020-53119.8

libImaging/SgiRleDecode.c in Pillow before 6.2.2 has an SGI buffer overflow.

CVE-2020-53129.8

libImaging/PcxDecode.c in Pillow before 6.2.2 has a PCX P mode buffer overflow.