CVE-2022-22817

Опубликовано: 10 янв. 2022

Источник: nvd

CVSS3: 9.8

CVSS2: 7.5

EPSS Низкий

Описание

PIL.ImageMath.eval in Pillow before 9.0.0 allows evaluation of arbitrary expressions, such as ones that use the Python exec method. A lambda expression could also be used.

Ссылки

https://lists.debian.org/debian-lts-announce/2022/01/msg00018.html
Mailing List
Third Party Advisory
https://lists.debian.org/debian-lts-announce/2024/03/msg00021.html
https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#restrict-builtins-available-to-imagemath-eval
Release Notes
Vendor Advisory
https://pillow.readthedocs.io/en/stable/releasenotes/9.0.1.html#security
Release Notes
Vendor Advisory
https://security.gentoo.org/glsa/202211-10
Third Party Advisory
https://www.debian.org/security/2022/dsa-5053
Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/01/msg00018.html
Mailing List
Third Party Advisory
https://lists.debian.org/debian-lts-announce/2024/03/msg00021.html
https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#restrict-builtins-available-to-imagemath-eval
Release Notes
Vendor Advisory
https://pillow.readthedocs.io/en/stable/releasenotes/9.0.1.html#security
Release Notes
Vendor Advisory
https://security.gentoo.org/glsa/202211-10
Third Party Advisory
https://www.debian.org/security/2022/dsa-5053
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:python:pillow:*:*:*:*:*:*:*:*

Версия до 9.0.1 (исключая)

Конфигурация 2

Одно из

cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*

cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*

EPSS

Процентиль: 85%

0.02548

Низкий

9.8 Critical

CVSS3

7.5 High

CVSS2

Дефекты

NVD-CWE-noinfo

Связанные уязвимости

CVE-2022-22817

CVSS3: 9.8

ubuntu

больше 3 лет назад

PIL.ImageMath.eval in Pillow before 9.0.0 allows evaluation of arbitrary expressions, such as ones that use the Python exec method. A lambda expression could also be used.

CVE-2022-22817

CVSS3: 9.8

redhat

больше 3 лет назад

PIL.ImageMath.eval in Pillow before 9.0.0 allows evaluation of arbitrary expressions, such as ones that use the Python exec method. A lambda expression could also be used.

CVE-2022-22817

CVSS3: 9.8

debian

больше 3 лет назад

PIL.ImageMath.eval in Pillow before 9.0.0 allows evaluation of arbitra ...

GHSA-8vj2-vxx3-667w

CVSS3: 9.8

github

больше 3 лет назад

Arbitrary expression injection in Pillow

BDU:2022-00583

CVSS3: 9.8

fstec

больше 3 лет назад

Уязвимость компонента PIL.ImageMath.eval библиотеки изображений Python Pillow, связанная с использованием опасных методов или функций, позволяющая нарушителю выполнить произвольный код

EPSS

Процентиль: 85%

0.02548

Низкий

9.8 Critical

CVSS3

7.5 High

CVSS2

Дефекты

NVD-CWE-noinfo