CVE-2022-22817 — Command Injection in Pillow

CWE-77 — Command Injection CWE-74 — Injection CWE-94 — Code Injection CWE-95 — Eval Injection26 documents10 sources

Severity

9.8CRITICALNVD

NVD8.1OSV7.5

EPSS

2.8%

top 13.92%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Python Pillow Debian Linux Paloalto Pan-os

Timeline

PublishedJan 10

Latest updateFeb 26

Description

PIL.ImageMath.eval in Pillow before 9.0.0 allows evaluation of arbitrary expressions, such as ones that use the Python exec method. A lambda expression could also be used.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages5 packages

▶NVDpython/pillow< 9.0.1+1

▶PyPIpython/pillow< 9.0.1+2

▶Debianpython/pillow< 8.1.2+dfsg-0.3+deb11u2+7

▶Ubuntupython/pillow< 5.1.0-1ubuntu0.8+5

▶Palo Altopaloalto/pan-os

Also affects: Debian Linux 10.0, 11.0, 9.0

🔴Vulnerability Details

GHSA

Arbitrary Code Execution in Pillow↗2024-01-19

▶

OSV

Arbitrary Code Execution in Pillow↗2024-01-19

▶

OSV

CVE-2023-50447: Pillow through 10↗2024-01-19

▶

CVEList

CVE-2023-50447: Pillow through 10↗2024-01-19

▶

OSV

pillow vulnerability↗2022-10-24

▶

📋Vendor Advisories

CISA ICS

Schneider Electric EcoStruxure Power Operation (Update A)↗2026-02-26

▶

Palo Alto

PAN-SA-2024-0001 Informational Bulletin: Impact of OSS CVEs in PAN-OS↗2024-02-14

▶

Red Hat

pillow: Arbitrary Code Execution via the environment parameter↗2024-01-19

▶

Debian

CVE-2023-50447: pillow - Pillow through 10.1.0 allows PIL.ImageMath.eval Arbitrary Code Execution via the...↗2023

▶

Ubuntu

Pillow vulnerability↗2022-10-24

▶

📄Research Papers

CTF

Web / PillowFight↗2024

▶

CTF

Web / Amidst_Us↗2022

▶

CTF

2022_Hackers_Playground / Imageium↗2022

▶