Heap Buffer Overflow in Pillow TGA Image Processing
CVE-2022-30595

9.8CRITICAL

Key Information:

Vendor: Python
Status: Pillow
Vendor: CVE Published:; 25 May 2022

Summary

The Pillow library version 9.1.0 contains a vulnerability that can lead to a heap buffer overflow when processing crafted TGA image files. This flaw occurs due to improper handling of invalid TGA files in the TgaRleDecode.c source file. Exploitation of this issue could potentially allow an attacker to execute arbitrary code within the context of the application utilizing the Pillow library. It is essential for developers using this library to update to the latest patched version to mitigate the risk.

References

https://github.com/python-pillow/Pillow/blob/main/src/lib...

x_refsource_MISC

https://pillow.readthedocs.io/en/stable/releasenotes/9.1....

x_refsource_MISC

EPSS Score

5% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
May 25, 2022
Vulnerability Reserved
May 12, 2022