Vulnerability-Lookup

CVE-2021-28678 (GCVE-0-2021-28678)

Vulnerability from cvelistv5 – Published: 2021-06-02 15:16 – Updated: 2024-08-03 21:47

Summary

An issue was discovered in Pillow before 8.2.0. For BLP data, BlpImagePlugin did not properly check that reads (after jumping to file offsets) returned data. This could lead to a DoS where the decoder could be run a large number of times on empty data.

Severity

5.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

CWE

Assigner

mitre

References

4 references

URL	Tags
https://pillow.readthedocs.io/en/stable/releaseno…	x_refsource_MISC
https://github.com/python-pillow/Pillow/pull/5377	x_refsource_MISC
https://lists.fedoraproject.org/archives/list/pac…	vendor-advisoryx_refsource_FEDORA
https://security.gentoo.org/glsa/202107-33	vendor-advisoryx_refsource_GENTOO

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T21:47:33.136Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28678-fix-blp-dos"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/python-pillow/Pillow/pull/5377"
          },
          {
            "name": "FEDORA-2021-77756994ba",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL/"
          },
          {
            "name": "GLSA-202107-33",
            "tags": [
              "vendor-advisory",
              "x_refsource_GENTOO",
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/202107-33"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An issue was discovered in Pillow before 8.2.0. For BLP data, BlpImagePlugin did not properly check that reads (after jumping to file offsets) returned data. This could lead to a DoS where the decoder could be run a large number of times on empty data."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-07-15T06:06:54.000Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28678-fix-blp-dos"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/python-pillow/Pillow/pull/5377"
        },
        {
          "name": "FEDORA-2021-77756994ba",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL/"
        },
        {
          "name": "GLSA-202107-33",
          "tags": [
            "vendor-advisory",
            "x_refsource_GENTOO"
          ],
          "url": "https://security.gentoo.org/glsa/202107-33"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2021-28678",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "An issue was discovered in Pillow before 8.2.0. For BLP data, BlpImagePlugin did not properly check that reads (after jumping to file offsets) returned data. This could lead to a DoS where the decoder could be run a large number of times on empty data."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28678-fix-blp-dos",
              "refsource": "MISC",
              "url": "https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28678-fix-blp-dos"
            },
            {
              "name": "https://github.com/python-pillow/Pillow/pull/5377",
              "refsource": "MISC",
              "url": "https://github.com/python-pillow/Pillow/pull/5377"
            },
            {
              "name": "FEDORA-2021-77756994ba",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL/"
            },
            {
              "name": "GLSA-202107-33",
              "refsource": "GENTOO",
              "url": "https://security.gentoo.org/glsa/202107-33"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2021-28678",
    "datePublished": "2021-06-02T15:16:23.000Z",
    "dateReserved": "2021-03-18T00:00:00.000Z",
    "dateUpdated": "2024-08-03T21:47:33.136Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2021-28678",
      "date": "2026-06-19",
      "epss": "0.00735",
      "percentile": "0.49593"
    },
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:python:pillow:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"8.2.0\", \"matchCriteriaId\": \"67AB0921-A1F5-4B3B-BED5-FC8B1DAF30C6\"}]}]}, {\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"E460AA51-FCDA-46B9-AE97-E6676AA5E194\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"An issue was discovered in Pillow before 8.2.0. For BLP data, BlpImagePlugin did not properly check that reads (after jumping to file offsets) returned data. This could lead to a DoS where the decoder could be run a large number of times on empty data.\"}, {\"lang\": \"es\", \"value\": \"Se ha detectado un problema en Pillow versiones anteriores a 8.2.0,. En el caso de los datos BLP, la funci\\u00f3n BlpImagePlugin no comprobaba apropiadamente que las lecturas (despu\\u00e9s de saltar a los offsets de los archivos) devolv\\u00edan datos. Esto pod\\u00eda conllevar a un DoS en el que el decodificador pod\\u00eda ser ejecutado un gran n\\u00famero de veces con datos vac\\u00edos\"}]",
      "id": "CVE-2021-28678",
      "lastModified": "2024-11-21T06:00:06.830",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H\", \"baseScore\": 5.5, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"LOCAL\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 1.8, \"impactScore\": 3.6}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:M/Au:N/C:N/I:N/A:P\", \"baseScore\": 4.3, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"MEDIUM\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"PARTIAL\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 8.6, \"impactScore\": 2.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": true}]}",
      "published": "2021-06-02T16:15:08.860",
      "references": "[{\"url\": \"https://github.com/python-pillow/Pillow/pull/5377\", \"source\": \"cve@mitre.org\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL/\", \"source\": \"cve@mitre.org\"}, {\"url\": \"https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28678-fix-blp-dos\", \"source\": \"cve@mitre.org\", \"tags\": [\"Release Notes\", \"Vendor Advisory\"]}, {\"url\": \"https://security.gentoo.org/glsa/202107-33\", \"source\": \"cve@mitre.org\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://github.com/python-pillow/Pillow/pull/5377\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28678-fix-blp-dos\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Release Notes\", \"Vendor Advisory\"]}, {\"url\": \"https://security.gentoo.org/glsa/202107-33\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}]",
      "sourceIdentifier": "cve@mitre.org",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-345\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2021-28678\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2021-06-02T16:15:08.860\",\"lastModified\":\"2024-11-21T06:00:06.830\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"An issue was discovered in Pillow before 8.2.0. For BLP data, BlpImagePlugin did not properly check that reads (after jumping to file offsets) returned data. This could lead to a DoS where the decoder could be run a large number of times on empty data.\"},{\"lang\":\"es\",\"value\":\"Se ha detectado un problema en Pillow versiones anteriores a 8.2.0,. En el caso de los datos BLP, la funci\u00f3n BlpImagePlugin no comprobaba apropiadamente que las lecturas (despu\u00e9s de saltar a los offsets de los archivos) devolv\u00edan datos. Esto pod\u00eda conllevar a un DoS en el que el decodificador pod\u00eda ser ejecutado un gran n\u00famero de veces con datos vac\u00edos\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:N/I:N/A:P\",\"baseScore\":4.3,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.6,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-345\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:python:pillow:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"8.2.0\",\"matchCriteriaId\":\"67AB0921-A1F5-4B3B-BED5-FC8B1DAF30C6\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E460AA51-FCDA-46B9-AE97-E6676AA5E194\"}]}]}],\"references\":[{\"url\":\"https://github.com/python-pillow/Pillow/pull/5377\",\"source\":\"cve@mitre.org\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL/\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28678-fix-blp-dos\",\"source\":\"cve@mitre.org\",\"tags\":[\"Release Notes\",\"Vendor Advisory\"]},{\"url\":\"https://security.gentoo.org/glsa/202107-33\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/python-pillow/Pillow/pull/5377\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28678-fix-blp-dos\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Release Notes\",\"Vendor Advisory\"]},{\"url\":\"https://security.gentoo.org/glsa/202107-33\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}"
  }
}

SUSE-SU-2024:1607-1

Vulnerability from csaf_suse - Published: 2024-05-10 16:35 - Updated: 2024-05-10 16:35

Summary

Security update for python-Pillow

Severity

Important

Notes

Title of the patch: Security update for python-Pillow

Description of the patch: This update for python-Pillow fixes the following issues: - CVE-2021-25287: out-of-bounds read in J2kDecode in j2ku_graya_la (bsc#1185805) - CVE-2021-25288: out-of-bounds read in J2kDecode in j2ku_gray_i (bsc#1185803) - CVE-2021-28675: DoS in PsdImagePlugin (bsc#1185804) - CVE-2021-28676: infinite loop in FliDecode.c can lead to DoS (bsc#1185786) - CVE-2021-28677: DoS in the open phase via a malicious EPS file (bsc#1185785) - CVE-2021-28678: improper check in BlpImagePlugin can lead to DoS (bsc#1185784)

Patchnames: SUSE-2024-1607,openSUSE-SLE-15.5-2024-1607

CVE-2021-25287

8.2 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H

Affected products

Recommended 8 products

Product	Version	Remediation
Unresolved product id: openSUSE Leap 15.5:python3-Pillow-7.2.0-150300.3.12.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.5:python3-Pillow-7.2.0-150300.3.12.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.5:python3-Pillow-7.2.0-150300.3.12.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.5:python3-Pillow-7.2.0-150300.3.12.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.5:python3-Pillow-tk-7.2.0-150300.3.12.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.5:python3-Pillow-tk-7.2.0-150300.3.12.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.5:python3-Pillow-tk-7.2.0-150300.3.12.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.5:python3-Pillow-tk-7.2.0-150300.3.12.1.x86_64	—	Vendor Fix

Threats

Impact important

CVE-2021-25288

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected products

Recommended 8 products

Product	Version	Remediation
Unresolved product id: openSUSE Leap 15.5:python3-Pillow-7.2.0-150300.3.12.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.5:python3-Pillow-7.2.0-150300.3.12.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.5:python3-Pillow-7.2.0-150300.3.12.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.5:python3-Pillow-7.2.0-150300.3.12.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.5:python3-Pillow-tk-7.2.0-150300.3.12.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.5:python3-Pillow-tk-7.2.0-150300.3.12.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.5:python3-Pillow-tk-7.2.0-150300.3.12.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.5:python3-Pillow-tk-7.2.0-150300.3.12.1.x86_64	—	Vendor Fix

Threats

Impact important

CVE-2021-28675

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected products

Recommended 8 products

Product	Version	Remediation
Unresolved product id: openSUSE Leap 15.5:python3-Pillow-7.2.0-150300.3.12.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.5:python3-Pillow-7.2.0-150300.3.12.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.5:python3-Pillow-7.2.0-150300.3.12.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.5:python3-Pillow-7.2.0-150300.3.12.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.5:python3-Pillow-tk-7.2.0-150300.3.12.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.5:python3-Pillow-tk-7.2.0-150300.3.12.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.5:python3-Pillow-tk-7.2.0-150300.3.12.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.5:python3-Pillow-tk-7.2.0-150300.3.12.1.x86_64	—	Vendor Fix

Threats

Impact important

CVE-2021-28676

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected products

Recommended 8 products

Product	Version	Remediation
Unresolved product id: openSUSE Leap 15.5:python3-Pillow-7.2.0-150300.3.12.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.5:python3-Pillow-7.2.0-150300.3.12.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.5:python3-Pillow-7.2.0-150300.3.12.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.5:python3-Pillow-7.2.0-150300.3.12.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.5:python3-Pillow-tk-7.2.0-150300.3.12.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.5:python3-Pillow-tk-7.2.0-150300.3.12.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.5:python3-Pillow-tk-7.2.0-150300.3.12.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.5:python3-Pillow-tk-7.2.0-150300.3.12.1.x86_64	—	Vendor Fix

Threats

Impact important

CVE-2021-28677

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected products

Recommended 8 products

Product	Version	Remediation
Unresolved product id: openSUSE Leap 15.5:python3-Pillow-7.2.0-150300.3.12.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.5:python3-Pillow-7.2.0-150300.3.12.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.5:python3-Pillow-7.2.0-150300.3.12.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.5:python3-Pillow-7.2.0-150300.3.12.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.5:python3-Pillow-tk-7.2.0-150300.3.12.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.5:python3-Pillow-tk-7.2.0-150300.3.12.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.5:python3-Pillow-tk-7.2.0-150300.3.12.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.5:python3-Pillow-tk-7.2.0-150300.3.12.1.x86_64	—	Vendor Fix

Threats

Impact important

CVE-2021-28678

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected products

Recommended 8 products

Product	Version	Remediation
Unresolved product id: openSUSE Leap 15.5:python3-Pillow-7.2.0-150300.3.12.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.5:python3-Pillow-7.2.0-150300.3.12.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.5:python3-Pillow-7.2.0-150300.3.12.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.5:python3-Pillow-7.2.0-150300.3.12.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.5:python3-Pillow-tk-7.2.0-150300.3.12.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.5:python3-Pillow-tk-7.2.0-150300.3.12.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.5:python3-Pillow-tk-7.2.0-150300.3.12.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.5:python3-Pillow-tk-7.2.0-150300.3.12.1.x86_64	—	Vendor Fix

Threats

Impact important

References

28 references

URL	Category
https://www.suse.com/support/security/rating/	external
https://ftp.suse.com/pub/projects/security/csaf/s…	self
https://www.suse.com/support/update/announcement/…	self
https://lists.suse.com/pipermail/sle-updates/2024…	self
https://bugzilla.suse.com/1185784	self
https://bugzilla.suse.com/1185785	self
https://bugzilla.suse.com/1185786	self
https://bugzilla.suse.com/1185803	self
https://bugzilla.suse.com/1185804	self
https://bugzilla.suse.com/1185805	self
https://www.suse.com/security/cve/CVE-2021-25287/	self
https://www.suse.com/security/cve/CVE-2021-25288/	self
https://www.suse.com/security/cve/CVE-2021-28675/	self
https://www.suse.com/security/cve/CVE-2021-28676/	self
https://www.suse.com/security/cve/CVE-2021-28677/	self
https://www.suse.com/security/cve/CVE-2021-28678/	self
https://www.suse.com/security/cve/CVE-2021-25287	external
https://bugzilla.suse.com/1185805	external
https://www.suse.com/security/cve/CVE-2021-25288	external
https://bugzilla.suse.com/1185803	external
https://www.suse.com/security/cve/CVE-2021-28675	external
https://bugzilla.suse.com/1185804	external
https://www.suse.com/security/cve/CVE-2021-28676	external
https://bugzilla.suse.com/1185786	external
https://www.suse.com/security/cve/CVE-2021-28677	external
https://bugzilla.suse.com/1185785	external
https://www.suse.com/security/cve/CVE-2021-28678	external
https://bugzilla.suse.com/1185784	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Security update for python-Pillow",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "This update for python-Pillow fixes the following issues:\n\n- CVE-2021-25287: out-of-bounds read in J2kDecode in j2ku_graya_la (bsc#1185805)\n- CVE-2021-25288: out-of-bounds read in J2kDecode in j2ku_gray_i (bsc#1185803)\n- CVE-2021-28675: DoS in PsdImagePlugin (bsc#1185804)\n- CVE-2021-28676: infinite loop in FliDecode.c can lead to DoS (bsc#1185786)\n- CVE-2021-28677: DoS in the open phase via a malicious EPS file (bsc#1185785)\n- CVE-2021-28678: improper check in BlpImagePlugin can lead to DoS (bsc#1185784)\n",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "SUSE-2024-1607,openSUSE-SLE-15.5-2024-1607",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2024_1607-1.json"
      },
      {
        "category": "self",
        "summary": "URL for SUSE-SU-2024:1607-1",
        "url": "https://www.suse.com/support/update/announcement/2024/suse-su-20241607-1/"
      },
      {
        "category": "self",
        "summary": "E-Mail link for SUSE-SU-2024:1607-1",
        "url": "https://lists.suse.com/pipermail/sle-updates/2024-May/035237.html"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1185784",
        "url": "https://bugzilla.suse.com/1185784"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1185785",
        "url": "https://bugzilla.suse.com/1185785"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1185786",
        "url": "https://bugzilla.suse.com/1185786"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1185803",
        "url": "https://bugzilla.suse.com/1185803"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1185804",
        "url": "https://bugzilla.suse.com/1185804"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1185805",
        "url": "https://bugzilla.suse.com/1185805"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2021-25287 page",
        "url": "https://www.suse.com/security/cve/CVE-2021-25287/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2021-25288 page",
        "url": "https://www.suse.com/security/cve/CVE-2021-25288/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2021-28675 page",
        "url": "https://www.suse.com/security/cve/CVE-2021-28675/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2021-28676 page",
        "url": "https://www.suse.com/security/cve/CVE-2021-28676/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2021-28677 page",
        "url": "https://www.suse.com/security/cve/CVE-2021-28677/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2021-28678 page",
        "url": "https://www.suse.com/security/cve/CVE-2021-28678/"
      }
    ],
    "title": "Security update for python-Pillow",
    "tracking": {
      "current_release_date": "2024-05-10T16:35:22Z",
      "generator": {
        "date": "2024-05-10T16:35:22Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "SUSE-SU-2024:1607-1",
      "initial_release_date": "2024-05-10T16:35:22Z",
      "revision_history": [
        {
          "date": "2024-05-10T16:35:22Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python3-Pillow-7.2.0-150300.3.12.1.aarch64",
                "product": {
                  "name": "python3-Pillow-7.2.0-150300.3.12.1.aarch64",
                  "product_id": "python3-Pillow-7.2.0-150300.3.12.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "python3-Pillow-tk-7.2.0-150300.3.12.1.aarch64",
                "product": {
                  "name": "python3-Pillow-tk-7.2.0-150300.3.12.1.aarch64",
                  "product_id": "python3-Pillow-tk-7.2.0-150300.3.12.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python3-Pillow-7.2.0-150300.3.12.1.i586",
                "product": {
                  "name": "python3-Pillow-7.2.0-150300.3.12.1.i586",
                  "product_id": "python3-Pillow-7.2.0-150300.3.12.1.i586"
                }
              },
              {
                "category": "product_version",
                "name": "python3-Pillow-tk-7.2.0-150300.3.12.1.i586",
                "product": {
                  "name": "python3-Pillow-tk-7.2.0-150300.3.12.1.i586",
                  "product_id": "python3-Pillow-tk-7.2.0-150300.3.12.1.i586"
                }
              }
            ],
            "category": "architecture",
            "name": "i586"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python3-Pillow-7.2.0-150300.3.12.1.ppc64le",
                "product": {
                  "name": "python3-Pillow-7.2.0-150300.3.12.1.ppc64le",
                  "product_id": "python3-Pillow-7.2.0-150300.3.12.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "python3-Pillow-tk-7.2.0-150300.3.12.1.ppc64le",
                "product": {
                  "name": "python3-Pillow-tk-7.2.0-150300.3.12.1.ppc64le",
                  "product_id": "python3-Pillow-tk-7.2.0-150300.3.12.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python3-Pillow-7.2.0-150300.3.12.1.s390x",
                "product": {
                  "name": "python3-Pillow-7.2.0-150300.3.12.1.s390x",
                  "product_id": "python3-Pillow-7.2.0-150300.3.12.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "python3-Pillow-tk-7.2.0-150300.3.12.1.s390x",
                "product": {
                  "name": "python3-Pillow-tk-7.2.0-150300.3.12.1.s390x",
                  "product_id": "python3-Pillow-tk-7.2.0-150300.3.12.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python3-Pillow-7.2.0-150300.3.12.1.x86_64",
                "product": {
                  "name": "python3-Pillow-7.2.0-150300.3.12.1.x86_64",
                  "product_id": "python3-Pillow-7.2.0-150300.3.12.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "python3-Pillow-tk-7.2.0-150300.3.12.1.x86_64",
                "product": {
                  "name": "python3-Pillow-tk-7.2.0-150300.3.12.1.x86_64",
                  "product_id": "python3-Pillow-tk-7.2.0-150300.3.12.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Leap 15.5",
                "product": {
                  "name": "openSUSE Leap 15.5",
                  "product_id": "openSUSE Leap 15.5",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:leap:15.5"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python3-Pillow-7.2.0-150300.3.12.1.aarch64 as component of openSUSE Leap 15.5",
          "product_id": "openSUSE Leap 15.5:python3-Pillow-7.2.0-150300.3.12.1.aarch64"
        },
        "product_reference": "python3-Pillow-7.2.0-150300.3.12.1.aarch64",
        "relates_to_product_reference": "openSUSE Leap 15.5"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python3-Pillow-7.2.0-150300.3.12.1.ppc64le as component of openSUSE Leap 15.5",
          "product_id": "openSUSE Leap 15.5:python3-Pillow-7.2.0-150300.3.12.1.ppc64le"
        },
        "product_reference": "python3-Pillow-7.2.0-150300.3.12.1.ppc64le",
        "relates_to_product_reference": "openSUSE Leap 15.5"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python3-Pillow-7.2.0-150300.3.12.1.s390x as component of openSUSE Leap 15.5",
          "product_id": "openSUSE Leap 15.5:python3-Pillow-7.2.0-150300.3.12.1.s390x"
        },
        "product_reference": "python3-Pillow-7.2.0-150300.3.12.1.s390x",
        "relates_to_product_reference": "openSUSE Leap 15.5"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python3-Pillow-7.2.0-150300.3.12.1.x86_64 as component of openSUSE Leap 15.5",
          "product_id": "openSUSE Leap 15.5:python3-Pillow-7.2.0-150300.3.12.1.x86_64"
        },
        "product_reference": "python3-Pillow-7.2.0-150300.3.12.1.x86_64",
        "relates_to_product_reference": "openSUSE Leap 15.5"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python3-Pillow-tk-7.2.0-150300.3.12.1.aarch64 as component of openSUSE Leap 15.5",
          "product_id": "openSUSE Leap 15.5:python3-Pillow-tk-7.2.0-150300.3.12.1.aarch64"
        },
        "product_reference": "python3-Pillow-tk-7.2.0-150300.3.12.1.aarch64",
        "relates_to_product_reference": "openSUSE Leap 15.5"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python3-Pillow-tk-7.2.0-150300.3.12.1.ppc64le as component of openSUSE Leap 15.5",
          "product_id": "openSUSE Leap 15.5:python3-Pillow-tk-7.2.0-150300.3.12.1.ppc64le"
        },
        "product_reference": "python3-Pillow-tk-7.2.0-150300.3.12.1.ppc64le",
        "relates_to_product_reference": "openSUSE Leap 15.5"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python3-Pillow-tk-7.2.0-150300.3.12.1.s390x as component of openSUSE Leap 15.5",
          "product_id": "openSUSE Leap 15.5:python3-Pillow-tk-7.2.0-150300.3.12.1.s390x"
        },
        "product_reference": "python3-Pillow-tk-7.2.0-150300.3.12.1.s390x",
        "relates_to_product_reference": "openSUSE Leap 15.5"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python3-Pillow-tk-7.2.0-150300.3.12.1.x86_64 as component of openSUSE Leap 15.5",
          "product_id": "openSUSE Leap 15.5:python3-Pillow-tk-7.2.0-150300.3.12.1.x86_64"
        },
        "product_reference": "python3-Pillow-tk-7.2.0-150300.3.12.1.x86_64",
        "relates_to_product_reference": "openSUSE Leap 15.5"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2021-25287",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2021-25287"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "An issue was discovered in Pillow before 8.2.0. There is an out-of-bounds read in J2kDecode, in j2ku_graya_la.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Leap 15.5:python3-Pillow-7.2.0-150300.3.12.1.aarch64",
          "openSUSE Leap 15.5:python3-Pillow-7.2.0-150300.3.12.1.ppc64le",
          "openSUSE Leap 15.5:python3-Pillow-7.2.0-150300.3.12.1.s390x",
          "openSUSE Leap 15.5:python3-Pillow-7.2.0-150300.3.12.1.x86_64",
          "openSUSE Leap 15.5:python3-Pillow-tk-7.2.0-150300.3.12.1.aarch64",
          "openSUSE Leap 15.5:python3-Pillow-tk-7.2.0-150300.3.12.1.ppc64le",
          "openSUSE Leap 15.5:python3-Pillow-tk-7.2.0-150300.3.12.1.s390x",
          "openSUSE Leap 15.5:python3-Pillow-tk-7.2.0-150300.3.12.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2021-25287",
          "url": "https://www.suse.com/security/cve/CVE-2021-25287"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1185805 for CVE-2021-25287",
          "url": "https://bugzilla.suse.com/1185805"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Leap 15.5:python3-Pillow-7.2.0-150300.3.12.1.aarch64",
            "openSUSE Leap 15.5:python3-Pillow-7.2.0-150300.3.12.1.ppc64le",
            "openSUSE Leap 15.5:python3-Pillow-7.2.0-150300.3.12.1.s390x",
            "openSUSE Leap 15.5:python3-Pillow-7.2.0-150300.3.12.1.x86_64",
            "openSUSE Leap 15.5:python3-Pillow-tk-7.2.0-150300.3.12.1.aarch64",
            "openSUSE Leap 15.5:python3-Pillow-tk-7.2.0-150300.3.12.1.ppc64le",
            "openSUSE Leap 15.5:python3-Pillow-tk-7.2.0-150300.3.12.1.s390x",
            "openSUSE Leap 15.5:python3-Pillow-tk-7.2.0-150300.3.12.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Leap 15.5:python3-Pillow-7.2.0-150300.3.12.1.aarch64",
            "openSUSE Leap 15.5:python3-Pillow-7.2.0-150300.3.12.1.ppc64le",
            "openSUSE Leap 15.5:python3-Pillow-7.2.0-150300.3.12.1.s390x",
            "openSUSE Leap 15.5:python3-Pillow-7.2.0-150300.3.12.1.x86_64",
            "openSUSE Leap 15.5:python3-Pillow-tk-7.2.0-150300.3.12.1.aarch64",
            "openSUSE Leap 15.5:python3-Pillow-tk-7.2.0-150300.3.12.1.ppc64le",
            "openSUSE Leap 15.5:python3-Pillow-tk-7.2.0-150300.3.12.1.s390x",
            "openSUSE Leap 15.5:python3-Pillow-tk-7.2.0-150300.3.12.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-05-10T16:35:22Z",
          "details": "important"
        }
      ],
      "title": "CVE-2021-25287"
    },
    {
      "cve": "CVE-2021-25288",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2021-25288"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "An issue was discovered in Pillow before 8.2.0. There is an out-of-bounds read in J2kDecode, in j2ku_gray_i.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Leap 15.5:python3-Pillow-7.2.0-150300.3.12.1.aarch64",
          "openSUSE Leap 15.5:python3-Pillow-7.2.0-150300.3.12.1.ppc64le",
          "openSUSE Leap 15.5:python3-Pillow-7.2.0-150300.3.12.1.s390x",
          "openSUSE Leap 15.5:python3-Pillow-7.2.0-150300.3.12.1.x86_64",
          "openSUSE Leap 15.5:python3-Pillow-tk-7.2.0-150300.3.12.1.aarch64",
          "openSUSE Leap 15.5:python3-Pillow-tk-7.2.0-150300.3.12.1.ppc64le",
          "openSUSE Leap 15.5:python3-Pillow-tk-7.2.0-150300.3.12.1.s390x",
          "openSUSE Leap 15.5:python3-Pillow-tk-7.2.0-150300.3.12.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2021-25288",
          "url": "https://www.suse.com/security/cve/CVE-2021-25288"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1185803 for CVE-2021-25288",
          "url": "https://bugzilla.suse.com/1185803"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Leap 15.5:python3-Pillow-7.2.0-150300.3.12.1.aarch64",
            "openSUSE Leap 15.5:python3-Pillow-7.2.0-150300.3.12.1.ppc64le",
            "openSUSE Leap 15.5:python3-Pillow-7.2.0-150300.3.12.1.s390x",
            "openSUSE Leap 15.5:python3-Pillow-7.2.0-150300.3.12.1.x86_64",
            "openSUSE Leap 15.5:python3-Pillow-tk-7.2.0-150300.3.12.1.aarch64",
            "openSUSE Leap 15.5:python3-Pillow-tk-7.2.0-150300.3.12.1.ppc64le",
            "openSUSE Leap 15.5:python3-Pillow-tk-7.2.0-150300.3.12.1.s390x",
            "openSUSE Leap 15.5:python3-Pillow-tk-7.2.0-150300.3.12.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Leap 15.5:python3-Pillow-7.2.0-150300.3.12.1.aarch64",
            "openSUSE Leap 15.5:python3-Pillow-7.2.0-150300.3.12.1.ppc64le",
            "openSUSE Leap 15.5:python3-Pillow-7.2.0-150300.3.12.1.s390x",
            "openSUSE Leap 15.5:python3-Pillow-7.2.0-150300.3.12.1.x86_64",
            "openSUSE Leap 15.5:python3-Pillow-tk-7.2.0-150300.3.12.1.aarch64",
            "openSUSE Leap 15.5:python3-Pillow-tk-7.2.0-150300.3.12.1.ppc64le",
            "openSUSE Leap 15.5:python3-Pillow-tk-7.2.0-150300.3.12.1.s390x",
            "openSUSE Leap 15.5:python3-Pillow-tk-7.2.0-150300.3.12.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-05-10T16:35:22Z",
          "details": "important"
        }
      ],
      "title": "CVE-2021-25288"
    },
    {
      "cve": "CVE-2021-28675",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2021-28675"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "An issue was discovered in Pillow before 8.2.0. PSDImagePlugin.PsdImageFile lacked a sanity check on the number of input layers relative to the size of the data block. This could lead to a DoS on Image.open prior to Image.load.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Leap 15.5:python3-Pillow-7.2.0-150300.3.12.1.aarch64",
          "openSUSE Leap 15.5:python3-Pillow-7.2.0-150300.3.12.1.ppc64le",
          "openSUSE Leap 15.5:python3-Pillow-7.2.0-150300.3.12.1.s390x",
          "openSUSE Leap 15.5:python3-Pillow-7.2.0-150300.3.12.1.x86_64",
          "openSUSE Leap 15.5:python3-Pillow-tk-7.2.0-150300.3.12.1.aarch64",
          "openSUSE Leap 15.5:python3-Pillow-tk-7.2.0-150300.3.12.1.ppc64le",
          "openSUSE Leap 15.5:python3-Pillow-tk-7.2.0-150300.3.12.1.s390x",
          "openSUSE Leap 15.5:python3-Pillow-tk-7.2.0-150300.3.12.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2021-28675",
          "url": "https://www.suse.com/security/cve/CVE-2021-28675"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1185804 for CVE-2021-28675",
          "url": "https://bugzilla.suse.com/1185804"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Leap 15.5:python3-Pillow-7.2.0-150300.3.12.1.aarch64",
            "openSUSE Leap 15.5:python3-Pillow-7.2.0-150300.3.12.1.ppc64le",
            "openSUSE Leap 15.5:python3-Pillow-7.2.0-150300.3.12.1.s390x",
            "openSUSE Leap 15.5:python3-Pillow-7.2.0-150300.3.12.1.x86_64",
            "openSUSE Leap 15.5:python3-Pillow-tk-7.2.0-150300.3.12.1.aarch64",
            "openSUSE Leap 15.5:python3-Pillow-tk-7.2.0-150300.3.12.1.ppc64le",
            "openSUSE Leap 15.5:python3-Pillow-tk-7.2.0-150300.3.12.1.s390x",
            "openSUSE Leap 15.5:python3-Pillow-tk-7.2.0-150300.3.12.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Leap 15.5:python3-Pillow-7.2.0-150300.3.12.1.aarch64",
            "openSUSE Leap 15.5:python3-Pillow-7.2.0-150300.3.12.1.ppc64le",
            "openSUSE Leap 15.5:python3-Pillow-7.2.0-150300.3.12.1.s390x",
            "openSUSE Leap 15.5:python3-Pillow-7.2.0-150300.3.12.1.x86_64",
            "openSUSE Leap 15.5:python3-Pillow-tk-7.2.0-150300.3.12.1.aarch64",
            "openSUSE Leap 15.5:python3-Pillow-tk-7.2.0-150300.3.12.1.ppc64le",
            "openSUSE Leap 15.5:python3-Pillow-tk-7.2.0-150300.3.12.1.s390x",
            "openSUSE Leap 15.5:python3-Pillow-tk-7.2.0-150300.3.12.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-05-10T16:35:22Z",
          "details": "important"
        }
      ],
      "title": "CVE-2021-28675"
    },
    {
      "cve": "CVE-2021-28676",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2021-28676"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "An issue was discovered in Pillow before 8.2.0. For FLI data, FliDecode did not properly check that the block advance was non-zero, potentially leading to an infinite loop on load.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Leap 15.5:python3-Pillow-7.2.0-150300.3.12.1.aarch64",
          "openSUSE Leap 15.5:python3-Pillow-7.2.0-150300.3.12.1.ppc64le",
          "openSUSE Leap 15.5:python3-Pillow-7.2.0-150300.3.12.1.s390x",
          "openSUSE Leap 15.5:python3-Pillow-7.2.0-150300.3.12.1.x86_64",
          "openSUSE Leap 15.5:python3-Pillow-tk-7.2.0-150300.3.12.1.aarch64",
          "openSUSE Leap 15.5:python3-Pillow-tk-7.2.0-150300.3.12.1.ppc64le",
          "openSUSE Leap 15.5:python3-Pillow-tk-7.2.0-150300.3.12.1.s390x",
          "openSUSE Leap 15.5:python3-Pillow-tk-7.2.0-150300.3.12.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2021-28676",
          "url": "https://www.suse.com/security/cve/CVE-2021-28676"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1185786 for CVE-2021-28676",
          "url": "https://bugzilla.suse.com/1185786"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Leap 15.5:python3-Pillow-7.2.0-150300.3.12.1.aarch64",
            "openSUSE Leap 15.5:python3-Pillow-7.2.0-150300.3.12.1.ppc64le",
            "openSUSE Leap 15.5:python3-Pillow-7.2.0-150300.3.12.1.s390x",
            "openSUSE Leap 15.5:python3-Pillow-7.2.0-150300.3.12.1.x86_64",
            "openSUSE Leap 15.5:python3-Pillow-tk-7.2.0-150300.3.12.1.aarch64",
            "openSUSE Leap 15.5:python3-Pillow-tk-7.2.0-150300.3.12.1.ppc64le",
            "openSUSE Leap 15.5:python3-Pillow-tk-7.2.0-150300.3.12.1.s390x",
            "openSUSE Leap 15.5:python3-Pillow-tk-7.2.0-150300.3.12.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Leap 15.5:python3-Pillow-7.2.0-150300.3.12.1.aarch64",
            "openSUSE Leap 15.5:python3-Pillow-7.2.0-150300.3.12.1.ppc64le",
            "openSUSE Leap 15.5:python3-Pillow-7.2.0-150300.3.12.1.s390x",
            "openSUSE Leap 15.5:python3-Pillow-7.2.0-150300.3.12.1.x86_64",
            "openSUSE Leap 15.5:python3-Pillow-tk-7.2.0-150300.3.12.1.aarch64",
            "openSUSE Leap 15.5:python3-Pillow-tk-7.2.0-150300.3.12.1.ppc64le",
            "openSUSE Leap 15.5:python3-Pillow-tk-7.2.0-150300.3.12.1.s390x",
            "openSUSE Leap 15.5:python3-Pillow-tk-7.2.0-150300.3.12.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-05-10T16:35:22Z",
          "details": "important"
        }
      ],
      "title": "CVE-2021-28676"
    },
    {
      "cve": "CVE-2021-28677",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2021-28677"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "An issue was discovered in Pillow before 8.2.0. For EPS data, the readline implementation used in EPSImageFile has to deal with any combination of \\r and \\n as line endings. It used an accidentally quadratic method of accumulating lines while looking for a line ending. A malicious EPS file could use this to perform a DoS of Pillow in the open phase, before an image was accepted for opening.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Leap 15.5:python3-Pillow-7.2.0-150300.3.12.1.aarch64",
          "openSUSE Leap 15.5:python3-Pillow-7.2.0-150300.3.12.1.ppc64le",
          "openSUSE Leap 15.5:python3-Pillow-7.2.0-150300.3.12.1.s390x",
          "openSUSE Leap 15.5:python3-Pillow-7.2.0-150300.3.12.1.x86_64",
          "openSUSE Leap 15.5:python3-Pillow-tk-7.2.0-150300.3.12.1.aarch64",
          "openSUSE Leap 15.5:python3-Pillow-tk-7.2.0-150300.3.12.1.ppc64le",
          "openSUSE Leap 15.5:python3-Pillow-tk-7.2.0-150300.3.12.1.s390x",
          "openSUSE Leap 15.5:python3-Pillow-tk-7.2.0-150300.3.12.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2021-28677",
          "url": "https://www.suse.com/security/cve/CVE-2021-28677"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1185785 for CVE-2021-28677",
          "url": "https://bugzilla.suse.com/1185785"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Leap 15.5:python3-Pillow-7.2.0-150300.3.12.1.aarch64",
            "openSUSE Leap 15.5:python3-Pillow-7.2.0-150300.3.12.1.ppc64le",
            "openSUSE Leap 15.5:python3-Pillow-7.2.0-150300.3.12.1.s390x",
            "openSUSE Leap 15.5:python3-Pillow-7.2.0-150300.3.12.1.x86_64",
            "openSUSE Leap 15.5:python3-Pillow-tk-7.2.0-150300.3.12.1.aarch64",
            "openSUSE Leap 15.5:python3-Pillow-tk-7.2.0-150300.3.12.1.ppc64le",
            "openSUSE Leap 15.5:python3-Pillow-tk-7.2.0-150300.3.12.1.s390x",
            "openSUSE Leap 15.5:python3-Pillow-tk-7.2.0-150300.3.12.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Leap 15.5:python3-Pillow-7.2.0-150300.3.12.1.aarch64",
            "openSUSE Leap 15.5:python3-Pillow-7.2.0-150300.3.12.1.ppc64le",
            "openSUSE Leap 15.5:python3-Pillow-7.2.0-150300.3.12.1.s390x",
            "openSUSE Leap 15.5:python3-Pillow-7.2.0-150300.3.12.1.x86_64",
            "openSUSE Leap 15.5:python3-Pillow-tk-7.2.0-150300.3.12.1.aarch64",
            "openSUSE Leap 15.5:python3-Pillow-tk-7.2.0-150300.3.12.1.ppc64le",
            "openSUSE Leap 15.5:python3-Pillow-tk-7.2.0-150300.3.12.1.s390x",
            "openSUSE Leap 15.5:python3-Pillow-tk-7.2.0-150300.3.12.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-05-10T16:35:22Z",
          "details": "important"
        }
      ],
      "title": "CVE-2021-28677"
    },
    {
      "cve": "CVE-2021-28678",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2021-28678"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "An issue was discovered in Pillow before 8.2.0. For BLP data, BlpImagePlugin did not properly check that reads (after jumping to file offsets) returned data. This could lead to a DoS where the decoder could be run a large number of times on empty data.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Leap 15.5:python3-Pillow-7.2.0-150300.3.12.1.aarch64",
          "openSUSE Leap 15.5:python3-Pillow-7.2.0-150300.3.12.1.ppc64le",
          "openSUSE Leap 15.5:python3-Pillow-7.2.0-150300.3.12.1.s390x",
          "openSUSE Leap 15.5:python3-Pillow-7.2.0-150300.3.12.1.x86_64",
          "openSUSE Leap 15.5:python3-Pillow-tk-7.2.0-150300.3.12.1.aarch64",
          "openSUSE Leap 15.5:python3-Pillow-tk-7.2.0-150300.3.12.1.ppc64le",
          "openSUSE Leap 15.5:python3-Pillow-tk-7.2.0-150300.3.12.1.s390x",
          "openSUSE Leap 15.5:python3-Pillow-tk-7.2.0-150300.3.12.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2021-28678",
          "url": "https://www.suse.com/security/cve/CVE-2021-28678"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1185784 for CVE-2021-28678",
          "url": "https://bugzilla.suse.com/1185784"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Leap 15.5:python3-Pillow-7.2.0-150300.3.12.1.aarch64",
            "openSUSE Leap 15.5:python3-Pillow-7.2.0-150300.3.12.1.ppc64le",
            "openSUSE Leap 15.5:python3-Pillow-7.2.0-150300.3.12.1.s390x",
            "openSUSE Leap 15.5:python3-Pillow-7.2.0-150300.3.12.1.x86_64",
            "openSUSE Leap 15.5:python3-Pillow-tk-7.2.0-150300.3.12.1.aarch64",
            "openSUSE Leap 15.5:python3-Pillow-tk-7.2.0-150300.3.12.1.ppc64le",
            "openSUSE Leap 15.5:python3-Pillow-tk-7.2.0-150300.3.12.1.s390x",
            "openSUSE Leap 15.5:python3-Pillow-tk-7.2.0-150300.3.12.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Leap 15.5:python3-Pillow-7.2.0-150300.3.12.1.aarch64",
            "openSUSE Leap 15.5:python3-Pillow-7.2.0-150300.3.12.1.ppc64le",
            "openSUSE Leap 15.5:python3-Pillow-7.2.0-150300.3.12.1.s390x",
            "openSUSE Leap 15.5:python3-Pillow-7.2.0-150300.3.12.1.x86_64",
            "openSUSE Leap 15.5:python3-Pillow-tk-7.2.0-150300.3.12.1.aarch64",
            "openSUSE Leap 15.5:python3-Pillow-tk-7.2.0-150300.3.12.1.ppc64le",
            "openSUSE Leap 15.5:python3-Pillow-tk-7.2.0-150300.3.12.1.s390x",
            "openSUSE Leap 15.5:python3-Pillow-tk-7.2.0-150300.3.12.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-05-10T16:35:22Z",
          "details": "important"
        }
      ],
      "title": "CVE-2021-28678"
    }
  ]
}

WID-SEC-W-2022-1835

Vulnerability from csaf_certbund - Published: 2021-11-09 23:00 - Updated: 2026-03-30 22:00

Summary

Red Hat Enterprise Linux (python-pillow): Mehrere Schwachstellen

Severity

Hoch

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung: Red Hat Enterprise Linux (RHEL) ist eine populäre Linux-Distribution.

Angriff: Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Red Hat Enterprise Linux in python-pillow ausnutzen, um einen Denial of Service Angriff durchzuführen und vertrauliche Informationen offenzulegen.

Betroffene Betriebssysteme: - Linux - UNIX

CVE-2020-35653

Affected products

Known affected 5 products

Product	Identifier	Version
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
Open Source Python Pillow Open Source / Python	`cpe:/a:python:python:pillow`	Pillow
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—
Red Hat Enterprise Linux 8 Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:8`	8

CVE-2020-35655

Affected products

Known affected 5 products

Product	Identifier	Version
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
Open Source Python Pillow Open Source / Python	`cpe:/a:python:python:pillow`	Pillow
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—
Red Hat Enterprise Linux 8 Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:8`	8

CVE-2021-25287

Affected products

Known affected 5 products

Product	Identifier	Version
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
Open Source Python Pillow Open Source / Python	`cpe:/a:python:python:pillow`	Pillow
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—
Red Hat Enterprise Linux 8 Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:8`	8

CVE-2021-25288

Affected products

Known affected 5 products

Product	Identifier	Version
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
Open Source Python Pillow Open Source / Python	`cpe:/a:python:python:pillow`	Pillow
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—
Red Hat Enterprise Linux 8 Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:8`	8

CVE-2021-25290

Affected products

Known affected 5 products

Product	Identifier	Version
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
Open Source Python Pillow Open Source / Python	`cpe:/a:python:python:pillow`	Pillow
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—
Red Hat Enterprise Linux 8 Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:8`	8

CVE-2021-25292

Affected products

Known affected 5 products

Product	Identifier	Version
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
Open Source Python Pillow Open Source / Python	`cpe:/a:python:python:pillow`	Pillow
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—
Red Hat Enterprise Linux 8 Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:8`	8

CVE-2021-25293

Affected products

Known affected 5 products

Product	Identifier	Version
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
Open Source Python Pillow Open Source / Python	`cpe:/a:python:python:pillow`	Pillow
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—
Red Hat Enterprise Linux 8 Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:8`	8

CVE-2021-27921

Affected products

Known affected 5 products

Product	Identifier	Version
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
Open Source Python Pillow Open Source / Python	`cpe:/a:python:python:pillow`	Pillow
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—
Red Hat Enterprise Linux 8 Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:8`	8

CVE-2021-27922

Affected products

Known affected 5 products

Product	Identifier	Version
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
Open Source Python Pillow Open Source / Python	`cpe:/a:python:python:pillow`	Pillow
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—
Red Hat Enterprise Linux 8 Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:8`	8

CVE-2021-27923

Affected products

Known affected 5 products

Product	Identifier	Version
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
Open Source Python Pillow Open Source / Python	`cpe:/a:python:python:pillow`	Pillow
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—
Red Hat Enterprise Linux 8 Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:8`	8

CVE-2021-28675

Affected products

Known affected 5 products

Product	Identifier	Version
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
Open Source Python Pillow Open Source / Python	`cpe:/a:python:python:pillow`	Pillow
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—
Red Hat Enterprise Linux 8 Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:8`	8

CVE-2021-28676

Affected products

Known affected 5 products

Product	Identifier	Version
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
Open Source Python Pillow Open Source / Python	`cpe:/a:python:python:pillow`	Pillow
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—
Red Hat Enterprise Linux 8 Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:8`	8

CVE-2021-28677

Affected products

Known affected 5 products

Product	Identifier	Version
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
Open Source Python Pillow Open Source / Python	`cpe:/a:python:python:pillow`	Pillow
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—
Red Hat Enterprise Linux 8 Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:8`	8

CVE-2021-28678

Affected products

Known affected 5 products

Product	Identifier	Version
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
Open Source Python Pillow Open Source / Python	`cpe:/a:python:python:pillow`	Pillow
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—
Red Hat Enterprise Linux 8 Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:8`	8

CVE-2021-34552

Affected products

Known affected 5 products

Product	Identifier	Version
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
Open Source Python Pillow Open Source / Python	`cpe:/a:python:python:pillow`	Pillow
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—
Red Hat Enterprise Linux 8 Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:8`	8

References

12 references

URL	Category
https://wid.cert-bund.de/.well-known/csaf/white/2…	self
https://wid.cert-bund.de/portal/wid/securityadvis…	self
https://access.redhat.com/errata/RHSA-2021:4149	external
https://access.redhat.com/errata/RHSA-2021:4702	external
https://packetstormsecurity.com/files/165588/USN-…	external
https://ubuntu.com/security/notices/USN-5227-3	external
https://alas.aws.amazon.com/AL2/ALAS-2023-2083.html	external
https://alas.aws.amazon.com/AL2/ALAS-2023-2087.html	external
https://alas.aws.amazon.com/AL2/ALAS-2023-2105.html	external
https://lists.opensuse.org/archives/list/security…	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://ubuntu.com/security/notices/USN-8135-1	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "hoch"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Red Hat Enterprise Linux (RHEL) ist eine popul\u00e4re Linux-Distribution.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Red Hat Enterprise Linux in python-pillow ausnutzen, um einen Denial of Service Angriff durchzuf\u00fchren und vertrauliche Informationen offenzulegen.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Linux\n- UNIX",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2022-1835 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2021/wid-sec-w-2022-1835.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2022-1835 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1835"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory vom 2021-11-09",
        "url": "https://access.redhat.com/errata/RHSA-2021:4149"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2021:4702 vom 2021-11-16",
        "url": "https://access.redhat.com/errata/RHSA-2021:4702"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-5227-1 vom 2022-01-17",
        "url": "https://packetstormsecurity.com/files/165588/USN-5227-2.txt"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-5227-3 vom 2022-10-24",
        "url": "https://ubuntu.com/security/notices/USN-5227-3"
      },
      {
        "category": "external",
        "summary": "Amazon Linux Security Advisory ALAS2-2023-2083 vom 2023-06-08",
        "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2083.html"
      },
      {
        "category": "external",
        "summary": "Amazon Linux Security Advisory ALAS-2023-2087 vom 2023-06-13",
        "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2087.html"
      },
      {
        "category": "external",
        "summary": "Amazon Linux Security Advisory ALAS2-2023-2105 vom 2023-07-01",
        "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2105.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2024:1607-1 vom 2024-05-11",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/G2ZGHJ52ROAMO32KNZTUOETPD6QKSIDY/"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2024:1673-2 vom 2024-06-13",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-June/018714.html"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-8135-1 vom 2026-03-31",
        "url": "https://ubuntu.com/security/notices/USN-8135-1"
      }
    ],
    "source_lang": "en-US",
    "title": "Red Hat Enterprise Linux (python-pillow): Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2026-03-30T22:00:00.000+00:00",
      "generator": {
        "date": "2026-03-31T11:44:10.723+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.5.0"
        }
      },
      "id": "WID-SEC-W-2022-1835",
      "initial_release_date": "2021-11-09T23:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2021-11-09T23:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2021-11-10T23:00:00.000+00:00",
          "number": "2",
          "summary": "Anpassung"
        },
        {
          "date": "2021-11-16T23:00:00.000+00:00",
          "number": "3",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2022-01-17T23:00:00.000+00:00",
          "number": "4",
          "summary": "Neue Updates von Ubuntu aufgenommen"
        },
        {
          "date": "2022-10-24T22:00:00.000+00:00",
          "number": "5",
          "summary": "Neue Updates von Ubuntu aufgenommen"
        },
        {
          "date": "2023-06-08T22:00:00.000+00:00",
          "number": "6",
          "summary": "Neue Updates von Amazon aufgenommen"
        },
        {
          "date": "2023-06-12T22:00:00.000+00:00",
          "number": "7",
          "summary": "Neue Updates von Amazon aufgenommen"
        },
        {
          "date": "2023-07-02T22:00:00.000+00:00",
          "number": "8",
          "summary": "Neue Updates von Amazon aufgenommen"
        },
        {
          "date": "2024-05-12T22:00:00.000+00:00",
          "number": "9",
          "summary": "Neue Updates von SUSE aufgenommen"
        },
        {
          "date": "2024-06-13T22:00:00.000+00:00",
          "number": "10",
          "summary": "Neue Updates von SUSE aufgenommen"
        },
        {
          "date": "2026-03-30T22:00:00.000+00:00",
          "number": "11",
          "summary": "Neue Updates von Ubuntu aufgenommen"
        }
      ],
      "status": "final",
      "version": "11"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Amazon Linux 2",
            "product": {
              "name": "Amazon Linux 2",
              "product_id": "398363",
              "product_identification_helper": {
                "cpe": "cpe:/o:amazon:linux_2:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Amazon"
      },
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "Pillow",
                "product": {
                  "name": "Open Source Python Pillow",
                  "product_id": "T020996",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:python:python:pillow"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Python"
          }
        ],
        "category": "vendor",
        "name": "Open Source"
      },
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "8",
                "product": {
                  "name": "Red Hat Enterprise Linux 8",
                  "product_id": "T014111",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:enterprise_linux:8"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Enterprise Linux"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "SUSE Linux",
            "product": {
              "name": "SUSE Linux",
              "product_id": "T002207",
              "product_identification_helper": {
                "cpe": "cpe:/o:suse:suse_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Ubuntu Linux",
            "product": {
              "name": "Ubuntu Linux",
              "product_id": "T000126",
              "product_identification_helper": {
                "cpe": "cpe:/o:canonical:ubuntu_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Ubuntu"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2020-35653",
      "product_status": {
        "known_affected": [
          "T002207",
          "T000126",
          "T020996",
          "398363",
          "T014111"
        ]
      },
      "release_date": "2021-11-09T23:00:00.000+00:00",
      "title": "CVE-2020-35653"
    },
    {
      "cve": "CVE-2020-35655",
      "product_status": {
        "known_affected": [
          "T002207",
          "T000126",
          "T020996",
          "398363",
          "T014111"
        ]
      },
      "release_date": "2021-11-09T23:00:00.000+00:00",
      "title": "CVE-2020-35655"
    },
    {
      "cve": "CVE-2021-25287",
      "product_status": {
        "known_affected": [
          "T002207",
          "T000126",
          "T020996",
          "398363",
          "T014111"
        ]
      },
      "release_date": "2021-11-09T23:00:00.000+00:00",
      "title": "CVE-2021-25287"
    },
    {
      "cve": "CVE-2021-25288",
      "product_status": {
        "known_affected": [
          "T002207",
          "T000126",
          "T020996",
          "398363",
          "T014111"
        ]
      },
      "release_date": "2021-11-09T23:00:00.000+00:00",
      "title": "CVE-2021-25288"
    },
    {
      "cve": "CVE-2021-25290",
      "product_status": {
        "known_affected": [
          "T002207",
          "T000126",
          "T020996",
          "398363",
          "T014111"
        ]
      },
      "release_date": "2021-11-09T23:00:00.000+00:00",
      "title": "CVE-2021-25290"
    },
    {
      "cve": "CVE-2021-25292",
      "product_status": {
        "known_affected": [
          "T002207",
          "T000126",
          "T020996",
          "398363",
          "T014111"
        ]
      },
      "release_date": "2021-11-09T23:00:00.000+00:00",
      "title": "CVE-2021-25292"
    },
    {
      "cve": "CVE-2021-25293",
      "product_status": {
        "known_affected": [
          "T002207",
          "T000126",
          "T020996",
          "398363",
          "T014111"
        ]
      },
      "release_date": "2021-11-09T23:00:00.000+00:00",
      "title": "CVE-2021-25293"
    },
    {
      "cve": "CVE-2021-27921",
      "product_status": {
        "known_affected": [
          "T002207",
          "T000126",
          "T020996",
          "398363",
          "T014111"
        ]
      },
      "release_date": "2021-11-09T23:00:00.000+00:00",
      "title": "CVE-2021-27921"
    },
    {
      "cve": "CVE-2021-27922",
      "product_status": {
        "known_affected": [
          "T002207",
          "T000126",
          "T020996",
          "398363",
          "T014111"
        ]
      },
      "release_date": "2021-11-09T23:00:00.000+00:00",
      "title": "CVE-2021-27922"
    },
    {
      "cve": "CVE-2021-27923",
      "product_status": {
        "known_affected": [
          "T002207",
          "T000126",
          "T020996",
          "398363",
          "T014111"
        ]
      },
      "release_date": "2021-11-09T23:00:00.000+00:00",
      "title": "CVE-2021-27923"
    },
    {
      "cve": "CVE-2021-28675",
      "product_status": {
        "known_affected": [
          "T002207",
          "T000126",
          "T020996",
          "398363",
          "T014111"
        ]
      },
      "release_date": "2021-11-09T23:00:00.000+00:00",
      "title": "CVE-2021-28675"
    },
    {
      "cve": "CVE-2021-28676",
      "product_status": {
        "known_affected": [
          "T002207",
          "T000126",
          "T020996",
          "398363",
          "T014111"
        ]
      },
      "release_date": "2021-11-09T23:00:00.000+00:00",
      "title": "CVE-2021-28676"
    },
    {
      "cve": "CVE-2021-28677",
      "product_status": {
        "known_affected": [
          "T002207",
          "T000126",
          "T020996",
          "398363",
          "T014111"
        ]
      },
      "release_date": "2021-11-09T23:00:00.000+00:00",
      "title": "CVE-2021-28677"
    },
    {
      "cve": "CVE-2021-28678",
      "product_status": {
        "known_affected": [
          "T002207",
          "T000126",
          "T020996",
          "398363",
          "T014111"
        ]
      },
      "release_date": "2021-11-09T23:00:00.000+00:00",
      "title": "CVE-2021-28678"
    },
    {
      "cve": "CVE-2021-34552",
      "product_status": {
        "known_affected": [
          "T002207",
          "T000126",
          "T020996",
          "398363",
          "T014111"
        ]
      },
      "release_date": "2021-11-09T23:00:00.000+00:00",
      "title": "CVE-2021-34552"
    }
  ]
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2021-28678 (GCVE-0-2021-28678)

SUSE-SU-2024:1607-1

WID-SEC-W-2022-1835

Tags

Sightings

Nomenclature