Fluid Attacks Database

Description

Pillow Out-of-bounds Read vulnerability An issue was discovered in Pillow before 8.2.0. There is an out-of-bounds read in J2kDecode, in j2ku_gray_i. This dates to Pillow 2.4.0.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 12	pillow	>=0 <8.1.2+dfsg-0.2	8.1.2+dfsg-0.2
pypi	pillow	>=2.4.0 <8.2.0	8.2.0
debian 13	pillow	>=0 <8.1.2+dfsg-0.2	8.1.2+dfsg-0.2
alpine v3.15	py3-pillow	=7.1.1-r0 \|\| =7.1.2-r0 \|\| =7.2.0-r0 \|\| =8.1.0-r0 \|\| =8.1.2-r0 \|\| =8.1.2-r1 \|\| >=0 <8.2.0-r0	8.2.0-r0
debian 11	pillow	>=0 <8.1.2+dfsg-0.2	8.1.2+dfsg-0.2
debian 14	pillow	>=0 <8.1.2+dfsg-0.2	8.1.2+dfsg-0.2
alpine v3.14	py3-pillow	=7.1.1-r0 \|\| =7.1.2-r0 \|\| =7.2.0-r0 \|\| =8.1.0-r0 \|\| =8.1.2-r0 \|\| =8.1.2-r1 \|\| >=0 <8.2.0-r0	8.2.0-r0
rpm rhel8	python-pillow	<0:5.1.1-16.el8	0:5.1.1-16.el8
rpm rhel7	python-pillow	-	-

Aliases

1. CVE-2021-252882. NVD-2021-252883. OSV-DEBIAN-2021-252884. OSV-2021-252885. OSV-ALPINE-2021-252886. GHSA-rwv7-3v45-hg297. GCVE-2021-252888. SECURITY-TRACKER-CVE-2021-252889. security.gentoo.org10. SECURITY-CVE-2021-25288

References

1. https://github.com/python-pillow/Pillow/pull/5377#issuecomment-8338214702. https://github.com/python-pillow/Pillow/commit/3bf5eddb89afdf690eceaa52bc4d3546ba9a5f873. https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2021-138.yaml4. https://lists.fedoraproject.org/archives/list/[email protected]/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL5. https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-25287-cve-2021-25288-fix-oob-read-in-jpeg2kdecode

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.