Denial of service in Pillow

Published: 2022-11-22

Risk	Medium
Patch available	YES
Number of vulnerabilities	1
CVE-ID	CVE-2022-45198
CWE-ID	CWE-399
Exploitation vector	Network
Public exploit	N/A
Vulnerable software Subscribe	Pillow Universal components / Libraries / Libraries used by multiple products
Vendor	Alex Clark and Contributors

Security Bulletin

This security bulletin contains one medium risk vulnerability.

1) Resource management error

EUVDB-ID: #VU69498

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-45198

CWE-ID: CWE-399 - Resource Management Errors

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper management of internal resources when handing highly compressed GIF data. A remote attacker can pass specially crafted GIF file to the application and perform a denial of service (DoS) attack.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Pillow: 1.0 - 9.1.1

CPE2.3

cpe:2.3:a:alex_clark_and_contributors:pillow:9.1.1:*:*:*:*:*:*:*

External links

http://github.com/python-pillow/Pillow/commit/11918eac0628ec8ac0812670d9838361ead2d6a4
http://github.com/python-pillow/Pillow/pull/6402
http://github.com/python-pillow/Pillow/releases/tag/9.2.0
http://pillow.readthedocs.io/en/stable/releasenotes/9.2.0.html

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?