Arbitrary Code Execution

2024-01-2309:46:39

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

arbitrary code execution

vulnerability

pil.imagemath.eval

7.7 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

31.7%

JSON

pillow is vulnerable to Arbitrary Code Execution. The vulnerability is due to an improper neutralization/sanitization of keys passed to the PIL.ImageMath.eval function environment parameter. An attacker can execute arbitrary code if they have control over the keys passed to PIL.ImageMath.eval environment parameters

CPENameOperatorVersion
pillowle10.1.0
py3-pillow:3.19eq10.1.0-r1
py3-pillow:edgeeq8.1.2-r0
py3-pillow:edgeeq9.3.0-r1
py3-pillow:edgeeq7.1.2-r0
py3-pillow:edgeeq8.4.0-r0
py3-pillow:edgeeq8.1.0-r0
py3-pillow:edgeeq6.2.2-r0
py3-pillow:edgeeq9.2.0-r1
py3-pillow:edgeeq9.2.0-r0

Name	Operator	Version
pillow	le	10.1.0
py3-pillow:3.19	eq	10.1.0-r1
py3-pillow:edge	eq	8.1.2-r0
py3-pillow:edge	eq	9.3.0-r1
py3-pillow:edge	eq	7.1.2-r0
py3-pillow:edge	eq	8.4.0-r0
py3-pillow:edge	eq	8.1.0-r0
py3-pillow:edge	eq	6.2.2-r0
py3-pillow:edge	eq	9.2.0-r1
py3-pillow:edge	eq	9.2.0-r0