BIT-pillow-2023-50447
Arbitrary Code Execution vulnerability in pillow (PyPI)
What is BIT-pillow-2023-50447 About?
Pillow through 10.1.0 is vulnerable to Arbitrary Code Execution via the `PIL.ImageMath.eval` function's `environment` parameter. This allows an attacker to execute arbitrary code within the context of the application. Exploitation is relatively straightforward for an attacker who can control the `environment` parameter.
Affected Software
Technical Details
This vulnerability in Pillow, affecting versions up to 10.1.0, allows for Arbitrary Code Execution during the evaluation process of PIL.ImageMath.eval. Unlike a previous vulnerability related to the expression parameter (CVE-2022-22817), this flaw specifically targets the environment parameter. If an attacker can control the input to the environment parameter, they can inject malicious code that will be executed when PIL.ImageMath.eval processes it. This implies that the environment parameter is not adequately sanitized or restricted, allowing arbitrary functions or expressions to be introduced and evaluated in the application's context.
What is the Impact of BIT-pillow-2023-50447?
Successful exploitation may allow attackers to execute arbitrary code on the host system, leading to full system compromise, data theft, or denial of service.
What is the Exploitability of BIT-pillow-2023-50447?
Exploitation complexity is moderate to low, depending on the application's exposure of the PIL.ImageMath.eval function and its environment parameter. There are no explicit authentication or privilege requirements to exploit the vulnerability itself, but an attacker needs a way to control the environment parameter input. This could be a remote attack if the Pillow library is used in a web application that processes untrusted image data or parameters. Special conditions involve the application utilizing PIL.ImageMath.eval with user-supplied or manipulable environment inputs. The primary risk factor is the inclusion of Pillow in applications that handle external content without strict input validation.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for BIT-pillow-2023-50447?
Available Upgrade Options
- pillow
- <10.2.0 → Upgrade to 10.2.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://duartecsantos.github.io/2024-01-02-CVE-2023-50447/
- https://lists.debian.org/debian-lts-announce/2024/01/msg00019.html
- https://github.com/python-pillow/Pillow/commit/45c726fd4daa63236a8f3653530f297dc87b160a
- https://nvd.nist.gov/vuln/detail/CVE-2023-50447
- https://duartecsantos.github.io/2024-01-02-CVE-2023-50447
- http://www.openwall.com/lists/oss-security/2024/01/20/1
- https://github.com/python-pillow/Pillow/releases
- https://devhub.checkmarx.com/cve-details/CVE-2023-50447
- http://www.openwall.com/lists/oss-security/2024/01/20/1
- https://github.com/python-pillow/Pillow
What are Similar Vulnerabilities to BIT-pillow-2023-50447?
Similar Vulnerabilities: CVE-2022-22817 , CVE-2024-21534 , CVE-2020-7712 , CVE-2017-16118 , CVE-2017-16086
