BIT-pillow-2022-24303
File Deletion vulnerability in pillow (PyPI)
What is BIT-pillow-2022-24303 About?
Pillow before 9.0.1 is vulnerable to arbitrary file deletion due to mishandling of spaces in temporary pathnames. This can allow an attacker to remove files from the system, posing a moderate risk that could be exploited by supplying specifically crafted temporary file paths.
Affected Software
Technical Details
The vulnerability stems from an insecure practice in Pillow when constructing temporary file paths. Specifically, if a temporary pathname contains spaces, Pillow's internal logic for managing or cleaning up these files, or interaction with underlying system calls, mishandles these spaces. This can lead to a situation where a crafted input or a race condition allows an attacker to specify a temporary file path that, when processed, points to an arbitrary file on the system, which is then unintentionally deleted. This often involves shell-like interpretation of filenames or improper quoting in commands that delete files.
What is the Impact of BIT-pillow-2022-24303?
Successful exploitation may allow attackers to delete arbitrary files on the file system, potentially leading to denial of service, corruption of system data, or disruption of application functionality. This could lead to data loss or system instability.
What is the Exploitability of BIT-pillow-2022-24303?
Exploitation of this vulnerability likely requires local access to the system or the ability to influence the temporary file creation process within an application using Pillow. An attacker would need to craft specific input that, when processed by Pillow, leads to the creation or handling of a temporary file with a malicious path containing spaces. No specific authentication or high privileges are explicitly stated, but the ability to write to temporary directories or influence file naming conventions would be a prerequisite. The complexity is moderate, relying on the attacker's ability to manipulate internal file path processing.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for BIT-pillow-2022-24303?
About the Fix from Resolved Security
Available Upgrade Options
- pillow
- <9.0.1 → Upgrade to 9.0.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://security.gentoo.org/glsa/202211-10
- https://pillow.readthedocs.io/en/stable/releasenotes/9.0.1.html#security
- https://github.com/python-pillow/Pillow/commit/143032103c9f2d55a0a7960bd3e630cb72549e8a
- https://github.com/python-pillow/Pillow/commit/427221ef5f19157001bf8b1ad7cfe0b905ca8c26
- https://github.com/python-pillow/Pillow/pull/6010
- https://github.com/advisories/GHSA-9j59-75qj-795w
- https://github.com/python-pillow/Pillow/pull/3450
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XR6UP2XONXOVXI4446VY72R63YRO2YTP/
- https://github.com/python-pillow/Pillow/commit/10c4f75aaa383bd9671e923e3b91d391ea12d781
- https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2022-168.yaml
What are Similar Vulnerabilities to BIT-pillow-2022-24303?
Similar Vulnerabilities: CVE-2020-13558 , CVE-2018-1999002 , CVE-2021-39294 , CVE-2019-15846 , CVE-2020-27950
