.avif)
View all vulnerabilities
CVE-2022-22817
Arbitrary expression injection in Pillow
Description
`PIL.ImageMath.eval` in Pillow before 9.0.0 allows evaluation of arbitrary expressions, such as ones that use the Python exec method `ImageMath.eval("exec(exit())")`.
While Pillow 9.0.0 restricted top-level builtins available to PIL.ImageMath.eval(), it did not prevent builtins available to lambda expressions. These are now also restricted in 9.0.1.
Patch Available
Fix available through Seal Security. No upgrade required, protect your application instantly.
Fix without upgradingVulnerability Details
Score
9.8
Score Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected Versions
pillow < 9.0.1
Severity
Critical
Critical
Critical
Ecosystem
Python
Publish Date
January 12, 2022
Modified Date
October 14, 2024