CVE-2022-22817
Publication date 10 January 2022
Last updated 24 July 2024
Ubuntu priority
PIL.ImageMath.eval in Pillow before 9.0.0 allows evaluation of arbitrary expressions, such as ones that use the Python exec method. A lambda expression could also be used.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| pillow | 24.04 LTS noble |
Not affected
|
| 22.04 LTS jammy |
Not affected
|
|
| 20.04 LTS focal |
Fixed 7.0.0-4ubuntu0.6
|
|
| 18.04 LTS bionic |
Fixed 5.1.0-1ubuntu0.8
|
|
| 16.04 LTS xenial |
Vulnerable
|
|
| 14.04 LTS trusty |
Vulnerable
|
|
| pillow-python2 | 24.04 LTS noble | Not in release |
| 22.04 LTS jammy | Not in release | |
| 20.04 LTS focal |
Needs evaluation
|
|
| 18.04 LTS bionic | Not in release | |
| 16.04 LTS xenial | Not in release | |
| 14.04 LTS trusty | Not in release | |
| python-imaging | 24.04 LTS noble | Not in release |
| 22.04 LTS jammy | Not in release | |
| 20.04 LTS focal | Not in release | |
| 18.04 LTS bionic | Not in release | |
| 16.04 LTS xenial | Not in release | |
| 14.04 LTS trusty | Not in release |
Notes
ccdm94
upstream mentions in the readthedocs page for version 9.0.1 (https://pillow.readthedocs.io/en/stable/releasenotes/9.0.1.html) that the fix for this CVE applied in version 9.0.0 (commit 8531b01d6c) does not completely patch the vulnerability. A new commit, dd46100bdc, was added in order to completely fix the issue.
mdeslaur
switching releases back to needed due to incomplete fix
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
9.8 · Critical
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
References
Related Ubuntu Security Notices (USN)
- USN-5227-1
- Pillow vulnerabilities
- 13 January 2022
- USN-5227-2
- Pillow vulnerabilities
- 17 January 2022
- USN-5227-3
- Pillow vulnerability
- 24 October 2022