CVE-2014-3007 — OS Command Injection in Pillow

CWE-78 — OS Command Injection10 documents7 sources

Severity

10.0CRITICALNVD

CNA4.4GHSA4.4OSV4.4

EPSS

3.0%

top 13.39%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Python Pillow Pythonware Python Imaging Library

Timeline

PublishedApr 27

Latest updateMay 17

Description

Python Image Library (PIL) 1.1.7 and earlier and Pillow 2.3 might allow remote attackers to execute arbitrary commands via shell metacharacters in unspecified vectors related to CVE-2014-1932, possibly JpegImagePlugin.py.

CVSS vector

AV:N/AC:L/C:C/I:C/A:CExploitability: 10.0 | Impact: 10.0

Affected Packages4 packages

▶PyPIpython/pillow< 2.5.0

▶Debianpython/pillow< 2.4.0-1+3

▶NVDpythonware/python_imaging_library1.1.7

▶NVDpython/pillow2.3.0

🔴Vulnerability Details

OSV

Pillow command injection↗2022-05-17

▶

GHSA

Pillow command injection↗2022-05-17

▶

OSV

CVE-2014-3007: Python Image Library (PIL) 1↗2014-04-27

▶

CVEList

CVE-2014-3007: Python Image Library (PIL) 1↗2014-04-27

▶

📋Vendor Advisories

Red Hat

python-imaging: command injection issue↗2014-01-29

▶

Debian

CVE-2014-3007: pillow - Python Image Library (PIL) 1.1.7 and earlier and Pillow 2.3 might allow remote a...↗2014

▶

💬Community

Bugzilla

CVE-2014-3007 python26-imaging: python-pillow, python-imaging: command injection issue [epel-5]↗2014-11-12

▶

Bugzilla

CVE-2014-3007 python-pillow: python-pillow, python-imaging: command injection issue [fedora-all]↗2014-11-12

▶

Bugzilla

CVE-2014-3007 python-pillow, python-imaging: command injection issue↗2014-05-05

▶