SnykCVELIST:CVE-2021-23437CVE-2021-23437 Regular Expression Denial of Service (ReDoS)
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.7 High
AI Score
Confidence
High
0.007 Low
EPSS
Percentile
79.8%
The package pillow 5.2.0 and before 8.3.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the getrgb function.
CNA Affected
[
{
"vendor": "n/a",
"product": "Pillow",
"versions": [
{
"version": "0",
"status": "affected",
"lessThan": "unspecified",
"versionType": "custom"
},
{
"version": "unspecified",
"lessThan": "8.3.2",
"status": "affected",
"versionType": "custom"
}
]
}
]References
github.com/python-pillow/Pillow/commit/9e08eb8f78fdfd2f476e1b20b7cf38683754866b
lists.debian.org/debian-lts-announce/2024/03/msg00021.html
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RNSG6VFXTAROGF7ACYLMAZNQV4EJ6I2C/
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VKRCL7KKAKOXCVD7M6WC5OKFGL4L3SJT/
pillow.readthedocs.io/en/stable/releasenotes/8.3.2.html
security.gentoo.org/glsa/202211-10
snyk.io/vuln/SNYK-PYTHON-PILLOW-1319443
Related
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.7 High
AI Score
Confidence
High
0.007 Low
EPSS
Percentile
79.8%