CVE-2021-28675

MEDIUM

Python Pillow < 8.2.0 - Denial of Service

Title source: rule

Description

An issue was discovered in Pillow before 8.2.0. PSDImagePlugin.PsdImageFile lacked a sanity check on the number of input layers relative to the size of the data block. This could lead to a DoS on Image.open prior to Image.load.

References (3)

[Vendor Advisory] https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28675-fix-dos-in-psdimageplugin

[Third Party Advisory] https://security.gentoo.org/glsa/202107-33

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL/

Scores

CVSS v3 5.5

EPSS 0.0011

EPSS Percentile 30.1%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Classification

CWE

CWE-252

Status published

Affected Products (3)

python/pillow < 8.2.0

fedoraproject/fedora

pypi/pillow < 8.2.0PyPI

Timeline

Published Jun 02, 2021

Tracked Since Feb 18, 2026