CVE-2022-22816
Buffer Over-read vulnerability in pillow (PyPI)
What is CVE-2022-22816 About?
This is a Buffer Over-read vulnerability found in the `path_getbbox` function within `path.c` in Pillow before 9.0.0. It occurs during the initialization of `ImagePath.Path`, potentially leading to information disclosure or denial of service by reading beyond allocated buffer boundaries. Exploitation complexity depends on the specific memory layout and contents after the buffer.
Affected Software
Technical Details
The vulnerability is a buffer over-read located in the path_getbbox function within path.c of the Pillow library, affecting versions prior to 9.0.0. During the initialization of an ImagePath.Path object, the function attempts to read data from a buffer. Due to incorrect boundary checks or calculations, it reads beyond the legitimate end of the allocated buffer. This unauthorized access to memory can lead to unexpected program behavior, crashes (denial of service), or potentially leak sensitive information from adjacent memory regions if predictable data is stored there, although the primary described impact is a crash.
What is the Impact of CVE-2022-22816?
Successful exploitation may allow attackers to cause a denial of service by crashing the application, or potentially lead to information disclosure by reading sensitive data from adjacent memory locations.
What is the Exploitability of CVE-2022-22816?
Exploitation of this buffer over-read would likely involve crafting a malformed input that triggers the flawed ImagePath.Path initialization, causing the path_getbbox function to read beyond its intended buffer. The complexity is medium, as it requires specific knowledge of the ImagePath.Path structure and how to manipulate it to trigger the vulnerability. There are no explicit authentication or privilege requirements mentioned; it could be accessible to any user who can cause the application to process such input. It can be a remote attack if the application processes untrusted image path data from a network, or local if a malicious program directly interacts with the Pillow library. The risk is elevated in applications that handle untrusted image files without robust input validation.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-22816?
Available Upgrade Options
- pillow
- <9.0.0 → Upgrade to 9.0.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/python-pillow/Pillow/blob/c5d9223a8b5e9295d15b5a9b1ef1dae44c8499f3/src/path.c#L331
- https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2022-9.yaml
- https://github.com/python-pillow/Pillow/blob/c5d9223a8b5e9295d15b5a9b1ef1dae44c8499f3/src/path.c#L331
- https://lists.debian.org/debian-lts-announce/2022/01/msg00018.html
- https://github.com/python-pillow/Pillow/commit/5543e4e2d409cd9e409bc64cdc77be0af007a31f
- https://www.debian.org/security/2022/dsa-5053
- https://security.gentoo.org/glsa/202211-10
- https://security.gentoo.org/glsa/202211-10
- https://www.debian.org/security/2022/dsa-5053
- https://github.com/advisories/GHSA-xrcv-f9gm-v42c
What are Similar Vulnerabilities to CVE-2022-22816?
Similar Vulnerabilities: CVE-2021-25291 , CVE-2020-11538 , CVE-2021-27923 , CVE-2022-22817 , CVE-2022-22815
