Published: 19/01/2024 Updated: 27/03/2024

CVSS v3 Base Score: 8.1 | Impact Score: 5.9 | Exploitability Score: 2.2

VMScore: 0

Pillow up to and including 10.1.0 allows PIL.ImageMath.eval Arbitrary Code Execution via the environment parameter, a different vulnerability than CVE-2022-22817 (which was about the expression parameter).

Vulnerable Product	Search on Vulmon	Subscribe to Product
python pillow
debian debian linux 10.0

Synopsis Important: python-pillow security update Type/Severity Security Advisory: Important Red Hat Insights patch analysis Identify and remediate systems affected by this advisory View affected systems Topic An update for python-pillow is now available for Red Hat Enterprise Linux 88 Extended Update SupportRed Hat Product Secur ...

Debian Bug report logs - #1061172 pillow: CVE-2023-50447 Package: src:pillow; Maintainer for src:pillow is Matthias Klose <doko@debianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Sat, 20 Jan 2024 09:00:02 UTC Severity: grave Tags: security, upstream Found in version pillow/1010-1 Fixed in ver ...

Pillow through 1010 allows PILImageMatheval Arbitrary Code Execution via the environment parameter, a different vulnerability than CVE-2022-22817 (which was about the expression parameter) (CVE-2023-50447) ...

DescriptionThis CVE is under investigation by Red Hat Product Security ...

CWE-94 https://github.com/python-pillow/Pillow/releases https://devhub.checkmarx.com/cve-details/CVE-2023-50447/http://www.openwall.com/lists/oss-security/2024/01/20/1 https://lists.debian.org/debian-lts-announce/2024/01/msg00019.html https://duartecsantos.github.io/2024-01-02-CVE-2023-50447/https://access.redhat.com/errata/RHSA-2024:0754 https://nvd.nist.gov https://alas.aws.amazon.com/AL2/ALAS-2024-2444.html

CVE-2023-50447

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

References

Vulmon Search

About

Products

Connect