File Deletion Vulnerability in Pillow by Python
CVE-2022-24303

9.1CRITICAL

Key Information:

Vendor: Python
Status: Pillow
Vendor: CVE Published:; 28 March 2022

What is CVE-2022-24303?

Pillow, the popular Python imaging library, contains a vulnerability that can be exploited by attackers to delete files. This issue arises from how temporary pathnames are processed, specifically the mishandling of spaces, which can lead to unauthorized file deletion. Users of Pillow versions prior to 9.0.1 are advised to upgrade to avoid potential exploitation. For further details, refer to the security advisories from various vendors, including Fedora and Gentoo.

References

https://github.com/python-pillow/Pillow/pull/3450

https://pillow.readthedocs.io/en/stable/releasenotes/9.0....

https://lists.fedoraproject.org/archives/list/package-ann...

vendor-advisory

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 28, 2022
Vulnerability Reserved
Feb 2, 2022