Input validation error in Pillow

#VU69497 Input validation error in Pillow

Published: 2022-11-22

Vulnerability identifier: #VU69497

Vulnerability risk: Medium

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-24303

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Pillow
Universal components / Libraries / Libraries used by multiple products

Vendor: Alex Clark and Contributors

Description

The vulnerability allows a remote attacker to delete arbitrary files on the system.

The vulnerability exists due to input validation error when processing spaces in path to the temporary directory on Linux or macOS. A remote attacker can pass a specially crafted file to the application and delete arbitrary files on the system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Pillow: 9.0.0

External links
http://pillow.readthedocs.io/en/stable/releasenotes/9.0.1.html#security
http://github.com/python-pillow/Pillow/pull/3450
http://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W4ZUXPKEX72O3E5IHBPVY5ZCPMJ4GHHV/
http://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XR6UP2XONXOVXI4446VY72R63YRO2YTP/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in IBM Cloud Pak for Business Automation

Ubuntu update for pillow

Gentoo update for Pillow

Multiple vulnerabilities in Pillow

openEuler 22.03 LTS update for python-pillow

openEuler update for python-pillow