Skip to main content

Insufficient Verification of Data Authenticity

CVE-2021-28678

Severity Medium
Score 5.5/10

Summary

An issue was discovered in Pillow 5.1.0 before 8.2.0. For BLP data, BlpImagePlugin did not properly check that reads (after jumping to file offsets) returned data. This could lead to a DoS where the decoder could be run a large number of times on empty data.

  • LOW
  • LOCAL
  • NONE
  • UNCHANGED
  • REQUIRED
  • NONE
  • NONE
  • HIGH

CWE-345 - Insufficient Verification of Data Authenticity

The software does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.

Advisory Timeline

  • Published