Arbitrary Expression Execution Vulnerability in Pillow by Python Software Foundation
CVE-2022-22817

9.8CRITICAL

Key Information:

Vendor
Python
Status
Pillow
Vendor
CVE Published:
10 January 2022

Badges

👾 Exploit Exists

Summary

A vulnerability in Pillow allows users to evaluate arbitrary expressions through the PIL.ImageMath.eval method. This flaw can be exploited to execute potentially harmful code, including lambda expressions and the Python exec method, if the input is not properly sanitized. Users of Pillow versions prior to 9.0.0 are particularly at risk. It's crucial for developers and system administrators to update to the latest version to mitigate this risk.

References

https://pillow.readthedocs.io/en/stable/releasenotes/9.0....
https://lists.debian.org/debian-lts-announce/2022/01/msg0...
mailing-list
https://www.debian.org/security/2022/dsa-5053
vendor-advisory

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

.