CVE-2022-22817

CVSS v2.0

Critical

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions Pillow versions prior to 9.0.1

Description The issue allows evaluation of arbitrary expressions, such as ones that use the Python exec method. A lambda expression could also be used, potentially enabling a remote attacker to execute arbitrary code in the system by passing a specially crafted file to the vulnerable library.

Recommendations For Pillow versions prior to 9.0.0, update to version 9.0.1 to resolve the issue. For Pillow version 9.0.0, update to version 9.0.1 to fully restrict builtins available to lambda expressions and prevent exploitation.

Fix

Special Elements Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-74CWE-749

Related Identifiers

ALSA-2022:0643

ALT-PU-2022-1236

ALT-PU-2023-7942

ALT-PU-2023-8182

BDU:2022-00583

BIT-PILLOW-2022-22817

CESA-2022_0609

CESA-2022_0643

CVE-2022-22817

DLA-2893-1

DLA-3768-1

DSA-5053-1

GHSA-8VJ2-VXX3-667W

MGASA-2022-0166

OESA-2022-1526

OPENSUSE-SU-2024:11814-1

OPENSUSE-SU-2025:14645-1

PYSEC-2022-10

RHSA-2022:0609

RHSA-2022:0643

RHSA-2022:0665

RHSA-2022:0667

RHSA-2022:0669

RHSA-2022_0609

RHSA-2022_0643

RLSA-2022:0643

SUSE-SU-2022:1729-1

SUSE-SU-2024:0290-1

USN-5227-1

USN-5227-2

USN-5227-3

Affected Products

Alt Linux

Almalinux

Astra Linux

Centos

Linuxmint

Pillow

Red Hat

Red Os

Rocky Linux

Ubuntu

CVE-2022-22817

Weakness Enumeration

Related Identifiers

Affected Products

References · 127