{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-22817", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-10-15T20:26:11.440Z", "dateReserved": "2022-01-07T00:00:00", "datePublished": "2022-01-07T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-03-22T11:05:55.677996"}, "descriptions": [{"lang": "en", "value": "PIL.ImageMath.eval in Pillow before 9.0.0 allows evaluation of arbitrary expressions, such as ones that use the Python exec method. A lambda expression could also be used."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#restrict-builtins-available-to-imagemath-eval"}, {"name": "[debian-lts-announce] 20220123 [SECURITY] [DLA 2893-1] pillow security update", "tags": ["mailing-list"], "url": "https://lists.debian.org/debian-lts-announce/2022/01/msg00018.html"}, {"name": "DSA-5053", "tags": ["vendor-advisory"], "url": "https://www.debian.org/security/2022/dsa-5053"}, {"url": "https://pillow.readthedocs.io/en/stable/releasenotes/9.0.1.html#security"}, {"name": "GLSA-202211-10", "tags": ["vendor-advisory"], "url": "https://security.gentoo.org/glsa/202211-10"}, {"name": "[debian-lts-announce] 20240322 [SECURITY] [DLA 3768-1] pillow security update", "tags": ["mailing-list"], "url": "https://lists.debian.org/debian-lts-announce/2024/03/msg00021.html"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T03:21:49.221Z"}, "title": "CVE Program Container", "references": [{"url": "https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#restrict-builtins-available-to-imagemath-eval", "tags": ["x_transferred"]}, {"name": "[debian-lts-announce] 20220123 [SECURITY] [DLA 2893-1] pillow security update", "tags": ["mailing-list", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2022/01/msg00018.html"}, {"name": "DSA-5053", "tags": ["vendor-advisory", "x_transferred"], "url": "https://www.debian.org/security/2022/dsa-5053"}, {"url": "https://pillow.readthedocs.io/en/stable/releasenotes/9.0.1.html#security", "tags": ["x_transferred"]}, {"name": "GLSA-202211-10", "tags": ["vendor-advisory", "x_transferred"], "url": "https://security.gentoo.org/glsa/202211-10"}, {"name": "[debian-lts-announce] 20240322 [SECURITY] [DLA 3768-1] pillow security update", "tags": ["mailing-list", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2024/03/msg00021.html"}]}, {"problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-noinfo Not enough information"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-10-15T17:36:26.542748Z", "id": "CVE-2022-22817", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-15T20:26:11.440Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#restrict-builtins-available-to-imagemath-eval", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2022/01/msg00018.html", "name": "[debian-lts-announce] 20220123 [SECURITY] [DLA 2893-1] pillow security update", "tags": ["mailing-list", "x_transferred"]}, {"url": "https://www.debian.org/security/2022/dsa-5053", "name": "DSA-5053", "tags": ["vendor-advisory", "x_transferred"]}, {"url": "https://pillow.readthedocs.io/en/stable/releasenotes/9.0.1.html#security", "tags": ["x_transferred"]}, {"url": "https://security.gentoo.org/glsa/202211-10", "name": "GLSA-202211-10", "tags": ["vendor-advisory", "x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2024/03/msg00021.html", "name": "[debian-lts-announce] 20240322 [SECURITY] [DLA 3768-1] pillow security update", "tags": ["mailing-list", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T03:21:49.221Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2022-22817", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-10-15T17:36:26.542748Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "description": "CWE-noinfo Not enough information"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-15T20:26:03.749Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#restrict-builtins-available-to-imagemath-eval"}, {"url": "https://lists.debian.org/debian-lts-announce/2022/01/msg00018.html", "name": "[debian-lts-announce] 20220123 [SECURITY] [DLA 2893-1] pillow security update", "tags": ["mailing-list"]}, {"url": "https://www.debian.org/security/2022/dsa-5053", "name": "DSA-5053", "tags": ["vendor-advisory"]}, {"url": "https://pillow.readthedocs.io/en/stable/releasenotes/9.0.1.html#security"}, {"url": "https://security.gentoo.org/glsa/202211-10", "name": "GLSA-202211-10", "tags": ["vendor-advisory"]}, {"url": "https://lists.debian.org/debian-lts-announce/2024/03/msg00021.html", "name": "[debian-lts-announce] 20240322 [SECURITY] [DLA 3768-1] pillow security update", "tags": ["mailing-list"]}], "descriptions": [{"lang": "en", "value": "PIL.ImageMath.eval in Pillow before 9.0.0 allows evaluation of arbitrary expressions, such as ones that use the Python exec method. A lambda expression could also be used."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-03-22T11:05:55.677996"}}}, "cveMetadata": {"cveId": "CVE-2022-22817", "state": "PUBLISHED", "dateUpdated": "2024-10-15T20:26:11.440Z", "dateReserved": "2022-01-07T00:00:00", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2022-01-07T00:00:00", "assignerShortName": "mitre"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:python:pillow:*:*:*:*:*:*:*:*", "matchCriteriaId": "247E74B8-CE5D-4409-B0F2-4F76D7C0EC99", "versionEndExcluding": "9.0.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*", "matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "PIL.ImageMath.eval in Pillow before 9.0.0 allows evaluation of arbitrary expressions, such as ones that use the Python exec method. A lambda expression could also be used."}, {"lang": "es", "value": "PIL.ImageMath.eval en Pillow antes de la versi\u00f3n 9.0.0 permite la evaluaci\u00f3n de expresiones arbitrarias, como las que utilizan el m\u00e9todo exec de Python. Tambi\u00e9n se puede utilizar una expresi\u00f3n lambda,"}], "id": "CVE-2022-22817", "lastModified": "2024-11-21T06:47:30.477", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2022-01-10T14:12:55.160", "references": [{"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2022/01/msg00018.html"}, {"source": "cve@mitre.org", "url": "https://lists.debian.org/debian-lts-announce/2024/03/msg00021.html"}, {"source": "cve@mitre.org", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#restrict-builtins-available-to-imagemath-eval"}, {"source": "cve@mitre.org", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://pillow.readthedocs.io/en/stable/releasenotes/9.0.1.html#security"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202211-10"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2022/dsa-5053"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2022/01/msg00018.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.debian.org/debian-lts-announce/2024/03/msg00021.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#restrict-builtins-available-to-imagemath-eval"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://pillow.readthedocs.io/en/stable/releasenotes/9.0.1.html#security"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202211-10"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2022/dsa-5053"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2022:0609", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "python-pillow-0:2.0.0-23.gitd1c6db8.el7_9", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2022-02-22T00:00:00Z"}, {"advisory": "RHSA-2022:0643", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "python-pillow-0:5.1.1-18.el8_5", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2022-02-22T00:00:00Z"}, {"advisory": "RHSA-2022:0669", "cpe": "cpe:/a:redhat:rhel_e4s:8.1", "package": "python-pillow-0:5.1.1-13.el8_1", "product_name": "Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions", "release_date": "2022-02-24T00:00:00Z"}, {"advisory": "RHSA-2022:0667", "cpe": "cpe:/a:redhat:rhel_eus:8.2", "package": "python-pillow-0:5.1.1-14.el8_2", "product_name": "Red Hat Enterprise Linux 8.2 Extended Update Support", "release_date": "2022-02-24T00:00:00Z"}, {"advisory": "RHSA-2022:0665", "cpe": "cpe:/a:redhat:rhel_eus:8.4", "package": "python-pillow-0:5.1.1-14.el8_4", "product_name": "Red Hat Enterprise Linux 8.4 Extended Update Support", "release_date": "2022-02-24T00:00:00Z"}], "bugzilla": {"description": "python-pillow: PIL.ImageMath.eval allows evaluation of arbitrary expressions", "id": "2042527", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2042527"}, "csaw": false, "cvss3": {"cvss3_base_score": "9.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-77", "details": ["PIL.ImageMath.eval in Pillow before 9.0.0 allows evaluation of arbitrary expressions, such as ones that use the Python exec method. A lambda expression could also be used.", "A flaw was found in python-pillow. The vulnerability occurs due to Improper Neutralization, leading to command injection. This flaw allows an attacker to externally-influenced input commands that modify the intended command."], "name": "CVE-2022-22817", "package_state": [{"cpe": "cpe:/a:redhat:quay:3", "fix_state": "Affected", "impact": "low", "package_name": "quay/quay-rhel8", "product_name": "Red Hat Quay 3"}], "public_date": "2022-01-02T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-22817\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-22817\nhttps://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#fixed-imagepath-path-array-handling"], "statement": "Red Hat Quay ships a vulnerable version of Pillow as a dependency of xhtml2pdf. The xhtml2pdf package is used in the invoice generation feature of Quay, however, the vulnerable ImageMath module is not used by xhtml2pdf. Therefore impact for Quay is rated Low.", "threat_severity": "Important"}