CVE-2021-34552

Published: Jul 13, 2021Modified: Jun 17, 2026

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

Pillow through 8.2.0 and PIL (aka Python Imaging Library) through 1.1.7 allow an attacker to pass controlled parameters directly into a convert function to trigger a buffer overflow in Convert.c.

Affected (5)

Products: Python: Pillow · Debian: Debian Linux · Fedoraproject: Fedora

1 product

1 product

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Python Pillow	From 1.0 to 1.1.7
Python Pillow	From 1.2 to 8.2.0

Configuration B

1 vulnerable

Vulnerable Software	Affected Versions
Debian Debian Linux	Version 9.0

Configuration C

2 vulnerable

Vulnerable Software	Affected Versions
Fedoraproject Fedora	Version 33
Fedoraproject Fedora	Version 34

Related CWEs

CWE-120

Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buffer overflow.

References (12)

https://lists.debian.org/debian-lts-announce/2021/07/msg00018.html

Source: cve@mitre.org

Mailing ListThird Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7V6LCG525ARIX6LX5QRYNAWVDD2MD2SV/

Source: cve@mitre.org

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VUGBBT63VL7G4JNOEIPDJIOC34ZFBKNJ/

Source: cve@mitre.org

https://pillow.readthedocs.io/en/stable/releasenotes/8.3.0.html#buffer-overflow

Source: cve@mitre.org

Release NotesVendor Advisory

https://pillow.readthedocs.io/en/stable/releasenotes/index.html

Source: cve@mitre.org

Release NotesVendor Advisory

https://security.gentoo.org/glsa/202211-10

Source: cve@mitre.org

Third Party Advisory

https://lists.debian.org/debian-lts-announce/2021/07/msg00018.html