vulnerability

Amazon Linux 2023: CVE-2021-34552: Important priority package update for python-pillow

Try Surface Command
Back to search
Severity
7
CVSS
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
Published
Jul 13, 2021
Added
Feb 17, 2025
Modified
Jul 4, 2025

Description

Pillow through 8.2.0 and PIL (aka Python Imaging Library) through 1.1.7 allow an attacker to pass controlled parameters directly into a convert function to trigger a buffer overflow in Convert.c.
A flaw was found in python-pillow. This flaw allows an attacker to pass controlled parameters directly into a convert function, triggering a buffer overflow in the "convert()" or "ImagingConvertTransparent()" functions in Convert.c. The highest threat to this vulnerability is to system availability.
In Red Hat Quay, a vulnerable version of python-pillow is shipped with quay-registry-container, however the invoice generation feature which uses python-pillow is disabled by default. Therefore impact has been rated Moderate.

Solutions

amazon-linux-2023-upgrade-python3-pillowamazon-linux-2023-upgrade-python3-pillow-debuginfoamazon-linux-2023-upgrade-python3-pillow-develamazon-linux-2023-upgrade-python3-pillow-tkamazon-linux-2023-upgrade-python3-pillow-tk-debuginfoamazon-linux-2023-upgrade-python-pillow-debuginfoamazon-linux-2023-upgrade-python-pillow-debugsource

References

Title
Rapid7 Labs

2026 Global Threat Landscape Report

The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.

Get report