#VU60003 Exposed dangerous method or function in Pillow - CVE-2022-22817


Vulnerability identifier: #VU60003

Vulnerability risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2022-22817

CWE-ID: CWE-749

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Pillow
Universal components / Libraries / Libraries used by multiple products

Vendor: Alex Clark and Contributors

Description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to usage of PIL.ImageMath.eval() function on arbitrary expressions. A remote attacker can pass specially crafted file to the library and execute arbitrary code on the system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Pillow: 1.0 - 8.4.0

External links
https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#restrict-builtins-available-to-imagemath-eval
https://lists.debian.org/debian-lts-announce/2022/01/msg00018.html
https://www.debian.org/security/2022/dsa-5053

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Anolis OS update for python-pillow
Anolis OS update for python-pillow
Multiple vulnerabilities in Dell XtremIO X2
Multiple vulnerabilities in IBM PowerVC
Amazon Linux AMI update for python-pillow
Amazon Linux AMI update for python-pillow
Anolis OS update for python-pillow
openEuler update for python-pillow
SUSE update for python-Pillow
Multiple vulnerabilities in IBM Cloud Pak for Business Automation