CVE-2022-45198
Data Amplification vulnerability in pillow (PyPI)
What is CVE-2022-45198 About?
This vulnerability in Pillow involves improper handling of highly compressed GIF data, leading to data amplification. This can result in excessive memory or CPU consumption, causing a denial of service. Exploitation is achieved by providing a crafted GIF file and is relatively easy.
Affected Software
Technical Details
The vulnerability stems from Pillow's processing of highly compressed GIF (Graphics Interchange Format) data. Specifically, when Pillow 9.2.0 and earlier handles certain crafted GIF files, it performs 'improper handling of highly compressed GIF data'. This means that a relatively small malicious GIF file, due to its specific compression methods and structure, can be expanded into a disproportionately large amount of data during the decoding process. This 'data amplification' leads to excessive memory allocation or intensive CPU usage as Pillow attempts to decompress and process the oversized data, ultimately causing resource exhaustion and a denial of service condition for the application or system decoding the GIF.
What is the Impact of CVE-2022-45198?
Successful exploitation may allow attackers to cause application unresponsiveness or crashes due to excessive resource consumption, leading to a denial of service.
What is the Exploitability of CVE-2022-45198?
Exploitation involves a low level of complexity, requiring the attacker to supply a specially crafted, highly compressed GIF file. No authentication or elevated privileges are required. This vulnerability can be exploited remotely if the target application accepts and processes GIF images from untrusted sources, such as through web forms or email attachments. The primary prerequisite is that the target system uses a vulnerable version of Pillow. The risk is elevated for web servers, image processing services, or any application that processes user-submitted GIFs, as a small input can generate a significant workload, making it an attractive target for resource exhaustion attacks.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-45198?
About the Fix from Resolved Security
Available Upgrade Options
- pillow
- <9.2.0 → Upgrade to 9.2.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2022-42979.yaml
- https://bugs.gentoo.org/855683
- https://cwe.mitre.org/data/definitions/409.html
- https://github.com/python-pillow/Pillow/pull/6402
- https://nvd.nist.gov/vuln/detail/CVE-2022-45198
- https://osv.dev/vulnerability/GHSA-m2vv-5vj5-2hm7
- https://security.gentoo.org/glsa/202211-10
- https://github.com/python-pillow/Pillow/commit/11918eac0628ec8ac0812670d9838361ead2d6a4
- https://security.gentoo.org/glsa/202211-10
- https://github.com/python-pillow/Pillow
What are Similar Vulnerabilities to CVE-2022-45198?
Similar Vulnerabilities: CVE-2021-27922 , GHSA-4fx9-vc88-q2xc , CVE-2020-35655 , CVE-2022-29217 , CVE-2020-8199
