Fluid Attacks Database

Description

Arbitrary Code Execution in Pillow Pillow through 10.1.0 allows PIL.ImageMath.eval Arbitrary Code Execution via the environment parameter, a different vulnerability than CVE-2022-22817 (which was about the expression parameter).

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 12	pillow	=9.4.0-1.1 \|\| >=0 <9.4.0-1.1+deb12u1	9.4.0-1.1+deb12u1
pypi	pillow	>=0 <10.2.0	10.2.0
debian 11	pillow	=8.1.2+dfsg-0.3 \|\| =8.1.2+dfsg-0.3+deb11u1 \|\| >=0 <8.1.2+dfsg-0.3+deb11u2	8.1.2+dfsg-0.3+deb11u2
debian 13	pillow	>=0 <10.2.0-1	10.2.0-1
debian 14	pillow	>=0 <10.2.0-1	10.2.0-1
rpm rhel8.6	python-pillow	<0:5.1.1-19.el8_6	0:5.1.1-19.el8_6
rpm rhel7	python-pillow	<0:2.0.0-25.gitd1c6db8.el7_9	0:2.0.0-25.gitd1c6db8.el7_9
rpm rhel8	python-pillow	<0:5.1.1-18.el8_9.1	0:5.1.1-18.el8_9.1
rpm rhel8.8	python-pillow	<0:5.1.1-19.el8_8	0:5.1.1-19.el8_8

Aliases

1. CVE-2023-504472. NVD-2023-504473. OSV-DEBIAN-2023-504474. OSV-2023-504475. GCVE-2023-504476. SECURITY-TRACKER-CVE-2023-504477. lists.debian.org

References

1. https://github.com/python-pillow/Pillow/commit/45c726fd4daa63236a8f3653530f297dc87b160a2. https://duartecsantos.github.io/2023-01-02-CVE-2023-504473. https://duartecsantos.github.io/2024-01-02-CVE-2023-504474. https://github.com/python-pillow/Pillow/releases5. https://pillow.readthedocs.io/en/stable/releasenotes/10.2.0.html#security6. http://www.openwall.com/lists/oss-security/2024/01/20/1

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.