PT-2022-1454 · Pillow+10 · Pillow+10

Published

2022-01-02

Updated

2024-06-13

CVE-2022-22816

CVSS v2.0

7.8

High

Vector

AV:N/AC:L/Au:N/C:C/I:N/A:N

Name of the Vulnerable Software and Affected Versions Pillow versions prior to 9.0.0

Description The issue is related to a buffer over-read in the path getbbox function in path.c during the initialization of ImagePath.Path. This could allow a remote attacker to access confidential information by sending a specially crafted file.

Recommendations For Pillow versions prior to 9.0.0, update to version 9.0.0 or later to resolve the issue. As a temporary workaround, consider restricting the use of the path getbbox function in path.c until a patch is available.

Fix

Out of bounds Read

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-125

Related Identifiers

ALSA-2022:0643

ALT-PU-2022-1236

ALT-PU-2023-7942

ALT-PU-2023-8182

BDU:2022-00582

BIT-PILLOW-2022-22816

CESA-2022_0609

CESA-2022_0643

CVE-2022-22816

DLA-2893-1

DSA-5053-1

GHSA-XRCV-F9GM-V42C

MGASA-2022-0166

OESA-2022-1526

OPENSUSE-SU-2024_1673-1

PYSEC-2022-9

RHSA-2022:0609

RHSA-2022:0643

RHSA-2022:0665

RHSA-2022:0667

RHSA-2022:0669

RHSA-2022_0609

RHSA-2022_0643

RLSA-2022:0643

SUSE-SU-2022:1729-1

SUSE-SU-2024:1673-1

SUSE-SU-2024:1673-2

USN-5227-1

USN-5227-2

Affected Products

Alt Linux

Almalinux

Astra Linux

Centos

Linuxmint

Pillow

Red Hat

Red Os

Rocky Linux

Suse

Ubuntu

PT-2022-1454 · Pillow+10 · Pillow+10

CVE-2022-22816

Weakness Enumeration

Related Identifiers

Affected Products

References · 126