https://bugzilla.redhat.com/show_bug.cgi?id=2042527
Bug ID: 2042527 Summary: CVE-2022-22817 python-pillow: PIL.ImageMath.eval allows evaluation of arbitrary expressions Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: high Priority: high Assignee: security-response-team@redhat.com Reporter: gsuckevi@redhat.com CC: bdettelb@redhat.com, cstratak@redhat.com, epel-packagers-sig@lists.fedoraproject.org, infra-sig@lists.fedoraproject.org, manisandro@gmail.com, miminar@redhat.com, orion@nwra.com, python-maint@redhat.com, python-sig@lists.fedoraproject.org, torsava@redhat.com Target Milestone: --- Classification: Other
PIL.ImageMath.eval in Pillow before 9.0.0 allows evaluation of arbitrary expressions, such as ones that use the Python exec method.
Reference: https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#restrict-bui...