First published: Fri Jan 19 2024(Updated: )
Pillow could allow a remote attacker to execute arbitrary code on the system, caused by improper neutralization of user supplied-input by the PIL.ImageMath.eval function. By sending a specially crafted request using keys that leverage the environment parameter, an attacker could exploit this vulnerability to execute arbitrary code on the system.
Credit: cve@mitre.org cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
ubuntu/pillow | <7.0.0-4ubuntu0.8 | 7.0.0-4ubuntu0.8 |
ubuntu/pillow | <9.0.1-1ubuntu0.2 | 9.0.1-1ubuntu0.2 |
ubuntu/pillow | <10.0.0-1ubuntu0.1 | 10.0.0-1ubuntu0.1 |
ubuntu/pillow | <10.2.0-1 | 10.2.0-1 |
debian/pillow | <=5.4.1-2+deb10u3<=8.1.2+dfsg-0.3+deb11u1<=9.4.0-1.1 | 5.4.1-2+deb10u6 10.3.0-2 |
Python Pillow | <=10.1.0 | |
Debian Debian Linux | =10.0 | |
pip/Pillow | <10.2.0 | 10.2.0 |
IBM Cognos Analytics | <=12.0.0-12.0.3 | |
IBM Cognos Analytics | <=11.2.0-11.2.4 FP4 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.