Insufficient Verification of Data Authenticity
CVE-2021-28678
Summary
An issue was discovered in Pillow 5.1.0 before 8.2.0. For BLP data, BlpImagePlugin did not properly check that reads (after jumping to file offsets) returned data. This could lead to a DoS where the decoder could be run a large number of times on empty data.
- LOW
- LOCAL
- NONE
- UNCHANGED
- REQUIRED
- NONE
- NONE
- HIGH
CWE-345 - Insufficient Verification of Data Authenticity
The software does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.
References
Advisory Timeline
- Published