{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-22815", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-08-03T03:21:49.146Z", "dateReserved": "2022-01-07T00:00:00", "datePublished": "2022-01-07T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2022-11-22T00:00:00"}, "descriptions": [{"lang": "en", "value": "path_getbbox in path.c in Pillow before 9.0.0 improperly initializes ImagePath.Path."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#fixed-imagepath-path-array-handling"}, {"url": "https://github.com/python-pillow/Pillow/blob/c5d9223a8b5e9295d15b5a9b1ef1dae44c8499f3/src/path.c#L331"}, {"name": "[debian-lts-announce] 20220123 [SECURITY] [DLA 2893-1] pillow security update", "tags": ["mailing-list"], "url": "https://lists.debian.org/debian-lts-announce/2022/01/msg00018.html"}, {"name": "DSA-5053", "tags": ["vendor-advisory"], "url": "https://www.debian.org/security/2022/dsa-5053"}, {"name": "GLSA-202211-10", "tags": ["vendor-advisory"], "url": "https://security.gentoo.org/glsa/202211-10"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T03:21:49.146Z"}, "title": "CVE Program Container", "references": [{"url": "https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#fixed-imagepath-path-array-handling", "tags": ["x_transferred"]}, {"url": "https://github.com/python-pillow/Pillow/blob/c5d9223a8b5e9295d15b5a9b1ef1dae44c8499f3/src/path.c#L331", "tags": ["x_transferred"]}, {"name": "[debian-lts-announce] 20220123 [SECURITY] [DLA 2893-1] pillow security update", "tags": ["mailing-list", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2022/01/msg00018.html"}, {"name": "DSA-5053", "tags": ["vendor-advisory", "x_transferred"], "url": "https://www.debian.org/security/2022/dsa-5053"}, {"name": "GLSA-202211-10", "tags": ["vendor-advisory", "x_transferred"], "url": "https://security.gentoo.org/glsa/202211-10"}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:python:pillow:*:*:*:*:*:*:*:*", "matchCriteriaId": "230E2D17-CE9C-44C0-8EE5-B025D2C147EF", "versionEndExcluding": "9.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*", "matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "path_getbbox in path.c in Pillow before 9.0.0 improperly initializes ImagePath.Path."}, {"lang": "es", "value": "La funci\u00f3n path_getbbox en el archivo path.c en Pillow versiones anteriores a 9.0.0 inicializa incorrectamente ImagePath.Path"}], "id": "CVE-2022-22815", "lastModified": "2024-11-21T06:47:30.173", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.4, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-01-10T14:12:54.423", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://github.com/python-pillow/Pillow/blob/c5d9223a8b5e9295d15b5a9b1ef1dae44c8499f3/src/path.c#L331"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2022/01/msg00018.html"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#fixed-imagepath-path-array-handling"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202211-10"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2022/dsa-5053"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/python-pillow/Pillow/blob/c5d9223a8b5e9295d15b5a9b1ef1dae44c8499f3/src/path.c#L331"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2022/01/msg00018.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#fixed-imagepath-path-array-handling"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202211-10"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2022/dsa-5053"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-665"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2022:0643", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "python-pillow-0:5.1.1-18.el8_5", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2022-02-22T00:00:00Z"}], "bugzilla": {"description": "python-pillow: improperly initializes ImagePath.Path in path_getbbox() in path.c", "id": "2042511", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2042511"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "status": "verified"}, "cwe": "CWE-665->CWE-909", "details": ["path_getbbox in path.c in Pillow before 9.0.0 improperly initializes ImagePath.Path.", "A flaw was found in python-pillow. The vulnerability occurs due to improper initialization of image paths, leading to improperly initializing the ImagePath. This flaw allows an attacker to access unauthorized memory that causes memory access errors, incorrect results, or crashes."], "name": "CVE-2022-22815", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "python-pillow", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/a:redhat:quay:3", "fix_state": "Affected", "impact": "low", "package_name": "quay/quay-rhel8", "product_name": "Red Hat Quay 3"}], "public_date": "2022-01-02T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-22815\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-22815\nhttps://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#fixed-imagepath-path-array-handling"], "statement": "Red Hat Quay ships a vulnerable version of Pillow as a dependency of xhtml2pdf. The xhtml2pdf package is used in the invoice generation feature of Quay, however, the vulnerable ImagePath module is not used by xhtml2pdf. Therefore impact for Quay is rated Low.", "threat_severity": "Moderate"}