[GHSA-jgpv-4h4c-xhw3] Uncontrolled Resource Consumption in pillow#8475
[GHSA-jgpv-4h4c-xhw3] Uncontrolled Resource Consumption in pillow#8475yusuke-koyoshi wants to merge 1 commit into
Conversation
|
Hi there @rhh! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository. This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory |
There was a problem hiding this comment.
Pull request overview
This PR aims to withdraw GHSA-jgpv-4h4c-xhw3 (“Uncontrolled Resource Consumption in pillow”) from the GitHub Advisory Database because it appears to be an accidentally published test/duplicate advisory for CVE-2021-27921 (already covered by GHSA-f4w8-cv6p-x6r5).
Changes:
- Updates advisory metadata (e.g.,
modified) and removes the top-level CVSS severity block. - Alters the
affectedpackage entry (including blanking the package name and removing the upper-bounding version event). - Adjusts
database_specific.severity.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "modified": "2023-01-09T05:04:45Z", | ||
| "published": "2021-04-23T16:54:36Z", | ||
| "aliases": [], | ||
| "summary": "Uncontrolled Resource Consumption in pillow", | ||
| "details": "### Impact\n_Pillow before 8.1.1 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for a BLP container, and thus an attempted memory allocation can be very large._\n\n### Patches\n_An issue was discovered in Pillow before 6.2.0. When reading specially crafted invalid image files, the library can either allocate very large amounts of memory or take an extremely long period of time to process the image._\n\n### Workarounds\n_An issue was discovered in Pillow before 6.2.0. When reading specially crafted invalid image files, the library can either allocate very large amounts of memory or take an extremely long period of time to process the image._\n\n### References\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-27921\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [example link to repo](http://example.com)\n* Email us at [example email address](mailto:example@example.com)", |
| "package": { | ||
| "ecosystem": "PyPI", | ||
| "name": "pillow" | ||
| "name": "" | ||
| }, | ||
| "ranges": [ |
| "CWE-400" | ||
| ], | ||
| "severity": "MODERATE", | ||
| "severity": "LOW", |
Updates
Comments
We would like to request the withdrawal of GHSA-jgpv-4h4c-xhw3 ("Uncontrolled Resource Consumption in pillow") from the GitHub Advisory Database. It appears to be a test advisory that was published unintentionally, and the vulnerability it describes is already correctly tracked as GHSA-f4w8-cv6p-x6r5 (CVE-2021-27921).
Reasons supporting withdrawal:
Because this advisory adds no information beyond GHSA-f4w8-cv6p-x6r5 and its incorrect version range causes inaccurate vulnerability matches (e.g., for Pillow 8.1.1), we ask that GHSA-jgpv-4h4c-xhw3 be withdrawn.