PT-2022-1453 · Pillow+10 · Pillow+10

Published

2022-01-07

Updated

2024-06-13

CVE-2022-22815

CVSS v2.0

7.8

High

Vector

AV:N/AC:L/Au:N/C:C/I:N/A:N

Name of the Vulnerable Software and Affected Versions Pillow versions prior to 9.0.0

Description The issue is related to the path getbbox function in path.c in Pillow, which improperly initializes ImagePath.Path. This can be exploited by a remote attacker to access arbitrary files in the system by sending a specially crafted HTTP request. The vulnerability is associated with incorrect path restriction to the directory.

Recommendations For versions prior to 9.0.0, update to version 9.0.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the path getbbox function in path.c until a patch is available.

Fix

Improper Initialization

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-665CWE-22

Related Identifiers

ALSA-2022:0643

ALT-PU-2022-1236

ALT-PU-2023-7942

ALT-PU-2023-8182

BDU:2022-00581

BIT-PILLOW-2022-22815

CESA-2022_0643

CVE-2022-22815

DLA-2893-1

DSA-5053-1

GHSA-PW3C-H7WP-CVHX

MGASA-2022-0166

OESA-2022-1526

OPENSUSE-SU-2024_1673-1

PYSEC-2022-8

RHSA-2022:0643

RHSA-2022_0643

RLSA-2022:0643

SUSE-SU-2022:1729-1

SUSE-SU-2024:1673-1

SUSE-SU-2024:1673-2

USN-5227-1

USN-5227-2

Affected Products

Alt Linux

Almalinux

Astra Linux

Centos

Linuxmint

Pillow

Red Hat

Red Os

Rocky Linux

Suse

Ubuntu

PT-2022-1453 · Pillow+10 · Pillow+10

CVE-2022-22815

Weakness Enumeration

Related Identifiers

Affected Products

References · 127