CVE-2022-22817
Arbitrary Code Execution vulnerability in pillow (PyPI)
What is CVE-2022-22817 About?
Pillow before 9.0.1 allows arbitrary expression evaluation in `PIL.ImageMath.eval`, including the execution of Python's `exec` method. This severe vulnerability permits attackers to execute arbitrary code with ease by supplying specially crafted expressions to `ImageMath.eval`.
Affected Software
Technical Details
The vulnerability lies within the PIL.ImageMath.eval function in Pillow. Originally, this function allowed evaluation of mathematical expressions, but it was found to permit invocation of arbitrary Python expressions, including dangerous built-in functions like exec(). While Pillow 9.0.0 attempted to restrict top-level built-ins, it failed to restrict built-ins accessible via lambda expressions. This means an attacker can embed malicious Python code within an expression passed to ImageMath.eval, leading to arbitrary code execution when the function evaluates it. For instance, ImageMath.eval("exec(exit())") demonstrates direct code execution, and similarly, lambda expressions can bypass initial restrictions.
What is the Impact of CVE-2022-22817?
Successful exploitation may allow attackers to execute arbitrary code on the system, leading to full system compromise, data exfiltration, denial of service, or further network penetration. The confidentiality, integrity, and availability of the system are critically at risk.
What is the Exploitability of CVE-2022-22817?
Exploitation is straightforward and can typically be achieved with remote access to any application that uses PIL.ImageMath.eval with user-supplied input. An attacker simply needs to provide a specially crafted string that contains the arbitrary code to be executed. No authentication or elevated privileges are required, as the vulnerability exists within the application's code execution context. The primary risk factor is any public-facing service that processes or evaluates image math expressions, as it provides a direct vector for remote code execution.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-22817?
About the Fix from Resolved Security
Available Upgrade Options
- pillow
- <9.0.1 → Upgrade to 9.0.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.debian.org/debian-lts-announce/2024/03/msg00021.html
- https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#restrict-builtins-available-to-imagemath-eval
- https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#restrict-builtins-available-to-imagemath-eval
- https://nvd.nist.gov/vuln/detail/CVE-2022-22817
- https://lists.debian.org/debian-lts-announce/2022/01/msg00018.html
- https://github.com/python-pillow/Pillow/commit/8531b01d6cdf0b70f256f93092caa2a5d91afc11
- https://lists.debian.org/debian-lts-announce/2024/03/msg00021.html
- https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2022-10.yaml
- https://www.debian.org/security/2022/dsa-5053
- https://security.gentoo.org/glsa/202211-10
What are Similar Vulnerabilities to CVE-2022-22817?
Similar Vulnerabilities: CVE-2021-41133 , CVE-2020-2204 , CVE-2019-1002005 , CVE-2017-1000353 , CVE-2020-11022
