CVE-2023-50447
HIGHPillow < 10.1.0 - Remote Code Execution via PIL.ImageMath.eval Environment Parameter
Title source: llmDescription
Pillow through 10.1.0 allows PIL.ImageMath.eval Arbitrary Code Execution via the environment parameter, a different vulnerability than CVE-2022-22817 (which was about the expression parameter).
References (5)
Core 5
Core References
Third Party Advisory
https://devhub.checkmarx.com/cve-details/CVE-2023-50447/
Release Notes
https://github.com/python-pillow/Pillow/releases
Various Sources
https://duartecsantos.github.io/2024-01-02-CVE-2023-50447/
Mailing List, Third Party Advisory mailing-list
http://www.openwall.com/lists/oss-security/2024/01/20/1
Mailing List, Third Party Advisory mailing-list
https://lists.debian.org/debian-lts-announce/2024/01/msg00019.html
Scores
CVSS v3
8.1
EPSS
0.0170
EPSS Percentile
74.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-95
CWE-94
Status
published
Products (3)
debian/debian_linux
10.0
pypi/Pillow
0 - 10.2.0PyPI
python/pillow
< 10.1.0
Published
Jan 19, 2024
Tracked Since
Feb 18, 2026