CVE-2022-22817

CRITICAL

Pillow <9.0.0 - Code Injection

Title source: llm

Description

PIL.ImageMath.eval in Pillow before 9.0.0 allows evaluation of arbitrary expressions, such as ones that use the Python exec method. A lambda expression could also be used.

Exploits (1)

github FAILED 1 stars

by JawadPy · pythonpoc

https://github.com/JawadPy/CVE-Exploit-Collection/tree/main/CVE-2022-22817-Exploit

View Code ZIP pw:eip

References (6)

[Mailing List, Third Party Advisory] https://lists.debian.org/debian-lts-announce/2022/01/msg00018.html

[Release Notes, Vendor Advisory] https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#restrict-builtins-available-to-imagemath-eval

[Release Notes, Vendor Advisory] https://pillow.readthedocs.io/en/stable/releasenotes/9.0.1.html#security

[Third Party Advisory] https://security.gentoo.org/glsa/202211-10

[Third Party Advisory] https://www.debian.org/security/2022/dsa-5053

[Mailing List] https://lists.debian.org/debian-lts-announce/2024/03/msg00021.html

Scores

CVSS v3 9.8

EPSS 0.0278

EPSS Percentile 85.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Classification

Status published

Affected Products (5)

python/pillow < 9.0.1

debian/debian_linux

pypi/pillow < 9.0.1PyPI

Timeline

Published Jan 10, 2022

Tracked Since Feb 18, 2026