{"api_version":"1","generated_at":"2026-04-22T23:31:02+00:00","cve":"CVE-2021-28677","urls":{"html":"https://cve.report/CVE-2021-28677","api":"https://cve.report/api/cve/CVE-2021-28677.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2021-28677","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2021-28677"},"summary":{"title":"CVE-2021-28677","description":"An issue was discovered in Pillow before 8.2.0. For EPS data, the readline implementation used in EPSImageFile has to deal with any combination of \\r and \\n as line endings. It used an accidentally quadratic method of accumulating lines while looking for a line ending. A malicious EPS file could use this to perform a DoS of Pillow in the open phase, before an image was accepted for opening.","state":"PUBLIC","assigner":"cve@mitre.org","published_at":"2021-06-02 16:15:00","updated_at":"2023-11-07 03:32:00"},"problem_types":["NVD-CWE-noinfo"],"metrics":[],"references":[{"url":"https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28677-fix-eps-dos-on-open","name":"https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28677-fix-eps-dos-on-open","refsource":"MISC","tags":[],"title":"8.2.0 — Pillow (PIL Fork) 8.2.0 documentation","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://github.com/python-pillow/Pillow/pull/5377","name":"https://github.com/python-pillow/Pillow/pull/5377","refsource":"MISC","tags":[],"title":"Security fixes for 8.2.0 by hugovk · Pull Request #5377 · python-pillow/Pillow · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL/","name":"FEDORA-2021-77756994ba","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 33 Update: mingw-python-pillow-7.2.0-6.fc33 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL/","name":"FEDORA-2021-77756994ba","refsource":"","tags":[],"title":"[SECURITY] Fedora 33 Update: mingw-python-pillow-7.2.0-6.fc33 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://security.gentoo.org/glsa/202107-33","name":"GLSA-202107-33","refsource":"GENTOO","tags":[],"title":"Pillow: Multiple vulnerabilities (GLSA 202107-33) — Gentoo security","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.debian.org/debian-lts-announce/2021/07/msg00018.html","name":"[debian-lts-announce] 20210722 [SECURITY] [DLA 2716-1] pillow security update","refsource":"MLIST","tags":[],"title":"[SECURITY] [DLA 2716-1] pillow security update","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2021-28677","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-28677","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2021","cve_id":"28677","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"33","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"28677","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"python","cpe5":"pillow","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2021-28677","qid":"178719","title":"Debian Security Update for pillow (DLA 2716-1)"},{"cve":"CVE-2021-28677","qid":"179813","title":"Debian Security Update for pillow (CVE-2021-28677)"},{"cve":"CVE-2021-28677","qid":"198379","title":"Ubuntu Security Notification for Pillow vulnerabilities (USN-4963-1)"},{"cve":"CVE-2021-28677","qid":"239802","title":"Red Hat Update for python-pillow (RHSA-2021:4149)"},{"cve":"CVE-2021-28677","qid":"281106","title":"Fedora Security Update for mingw (FEDORA-2021-aa5d2e2289)"},{"cve":"CVE-2021-28677","qid":"281504","title":"Fedora Security Update for mingw (FEDORA-2021-77756994ba)"},{"cve":"CVE-2021-28677","qid":"296059","title":"Oracle Solaris 11.4 Support Repository Update (SRU) 36.0.1.101.2 Missing (CPUJUL2021)"},{"cve":"CVE-2021-28677","qid":"296060","title":"Oracle Solaris 11.4 Support Repository Update (SRU) 37.0.1.101.1 Missing (CPUJUL2021)"},{"cve":"CVE-2021-28677","qid":"355121","title":"Amazon Linux Security Advisory for python-pillow : ALAS2023-2023-146"},{"cve":"CVE-2021-28677","qid":"355393","title":"Amazon Linux Security Advisory for python-pillow : ALAS2-2023-2083"},{"cve":"CVE-2021-28677","qid":"501768","title":"Alpine Linux Security Update for py3-pillow"},{"cve":"CVE-2021-28677","qid":"505317","title":"Alpine Linux Security Update for py3-pillow"},{"cve":"CVE-2021-28677","qid":"670495","title":"EulerOS Security Update for python-pillow (EulerOS-SA-2021-2253)"},{"cve":"CVE-2021-28677","qid":"670521","title":"EulerOS Security Update for python-pillow (EulerOS-SA-2021-2279)"},{"cve":"CVE-2021-28677","qid":"670558","title":"EulerOS Security Update for python-pillow (EulerOS-SA-2021-2314)"},{"cve":"CVE-2021-28677","qid":"670587","title":"EulerOS Security Update for python-pillow (EulerOS-SA-2021-2345)"},{"cve":"CVE-2021-28677","qid":"670674","title":"EulerOS Security Update for python-pillow (EulerOS-SA-2021-2432)"},{"cve":"CVE-2021-28677","qid":"670990","title":"EulerOS Security Update for python-pillow (EulerOS-SA-2021-2611)"},{"cve":"CVE-2021-28677","qid":"690140","title":"Free Berkeley Software Distribution (FreeBSD) Security Update for pillow (f947aa26-b2f9-11eb-a5f7-a0f3c100ae18)"},{"cve":"CVE-2021-28677","qid":"710035","title":"Gentoo Linux Pillow Multiple vulnerabilities (GLSA 202107-33)"},{"cve":"CVE-2021-28677","qid":"940109","title":"AlmaLinux Security Update for python-pillow (ALSA-2021:4149)"},{"cve":"CVE-2021-28677","qid":"980994","title":"Python (pip) Security Update for Pillow (GHSA-q5hq-fp76-qmrc)"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"cve@mitre.org","ID":"CVE-2021-28677","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"An issue was discovered in Pillow before 8.2.0. For EPS data, the readline implementation used in EPSImageFile has to deal with any combination of \\r and \\n as line endings. It used an accidentally quadratic method of accumulating lines while looking for a line ending. A malicious EPS file could use this to perform a DoS of Pillow in the open phase, before an image was accepted for opening."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"refsource":"MISC","name":"https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28677-fix-eps-dos-on-open","url":"https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28677-fix-eps-dos-on-open"},{"refsource":"MISC","name":"https://github.com/python-pillow/Pillow/pull/5377","url":"https://github.com/python-pillow/Pillow/pull/5377"},{"refsource":"FEDORA","name":"FEDORA-2021-77756994ba","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL/"},{"refsource":"GENTOO","name":"GLSA-202107-33","url":"https://security.gentoo.org/glsa/202107-33"},{"refsource":"MLIST","name":"[debian-lts-announce] 20210722 [SECURITY] [DLA 2716-1] pillow security update","url":"https://lists.debian.org/debian-lts-announce/2021/07/msg00018.html"}]}},"nvd":{"publishedDate":"2021-06-02 16:15:00","lastModifiedDate":"2023-11-07 03:32:00","problem_types":["NVD-CWE-noinfo"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:N/I:N/A:P","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"PARTIAL","baseScore":5},"severity":"MEDIUM","exploitabilityScore":10,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:python:pillow:*:*:*:*:*:*:*:*","versionEndExcluding":"8.2.0","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2021","CveId":"28677","Ordinal":"203853","Title":"CVE-2021-28677","CVE":"CVE-2021-28677","Year":"2021"},"notes":[{"CveYear":"2021","CveId":"28677","Ordinal":"1","NoteData":"An issue was discovered in Pillow before 8.2.0. For EPS data, the readline implementation used in EPSImageFile has to deal with any combination of \\r and \\n as line endings. It used an accidentally quadratic method of accumulating lines while looking for a line ending. A malicious EPS file could use this to perform a DoS of Pillow in the open phase, before an image was accepted for opening.","Type":"Description","Title":null},{"CveYear":"2021","CveId":"28677","Ordinal":"2","NoteData":"2021-06-02","Type":"Other","Title":"Published"},{"CveYear":"2021","CveId":"28677","Ordinal":"3","NoteData":"2021-07-22","Type":"Other","Title":"Modified"}]}}}