vulnerability

Amazon Linux 2023: CVE-2021-34552: Important priority package update for python-pillow

Try Surface Command
Back to search
Severity
7
CVSS
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
Published
Jul 13, 2021
Added
Feb 17, 2025
Modified
Jul 4, 2025

Description

Pillow through 8.2.0 and PIL (aka Python Imaging Library) through 1.1.7 allow an attacker to pass controlled parameters directly into a convert function to trigger a buffer overflow in Convert.c.
A flaw was found in python-pillow. This flaw allows an attacker to pass controlled parameters directly into a convert function, triggering a buffer overflow in the "convert()" or "ImagingConvertTransparent()" functions in Convert.c. The highest threat to this vulnerability is to system availability.
In Red Hat Quay, a vulnerable version of python-pillow is shipped with quay-registry-container, however the invoice generation feature which uses python-pillow is disabled by default. Therefore impact has been rated Moderate.

Solutions

amazon-linux-2023-upgrade-python3-pillowamazon-linux-2023-upgrade-python3-pillow-debuginfoamazon-linux-2023-upgrade-python3-pillow-develamazon-linux-2023-upgrade-python3-pillow-tkamazon-linux-2023-upgrade-python3-pillow-tk-debuginfoamazon-linux-2023-upgrade-python-pillow-debuginfoamazon-linux-2023-upgrade-python-pillow-debugsource

References

Title
NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today