Heap Buffer Overflow in Pillow TGA Image Processing
CVE-2022-30595

9.8CRITICAL

Key Information:

Vendor: Python
Status: Pillow
Vendor: CVE Published:; 25 May 2022

What is CVE-2022-30595?

The Pillow library version 9.1.0 contains a vulnerability that can lead to a heap buffer overflow when processing crafted TGA image files. This flaw occurs due to improper handling of invalid TGA files in the TgaRleDecode.c source file. Exploitation of this issue could potentially allow an attacker to execute arbitrary code within the context of the application utilizing the Pillow library. It is essential for developers using this library to update to the latest patched version to mitigate the risk.

References

https://github.com/python-pillow/Pillow/blob/main/src/lib...

x_refsource_MISC

https://pillow.readthedocs.io/en/stable/releasenotes/9.1....

x_refsource_MISC

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 25, 2022
Vulnerability Reserved
May 12, 2022

Python

What is CVE-2022-30595?

References

CVSS V3.1

Timeline