Vulnerability CVE-2022-24303: Information

Description

Pillow before 9.0.1 allows attackers to delete files because spaces in temporary pathnames are mishandled.

Severity: CRITICAL (9.1) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

URL: https://nvd.nist.gov/vuln/detail/CVE-2022-24303
Published: March 28, 2022
Modified: Nov. 7, 2023

Fixed packages

Package name
Branch
Fixed in version
Version from repository
Errata ID
Task #
State
python3-module-Pillowsisyphus9.0.1-alt110.3.0-alt1ALT-PU-2022-1236-1295017Fixed
python3-module-Pillowsisyphus_e2k9.0.1-alt110.3.0-alt1ALT-PU-2022-4097-1-Fixed
python3-module-Pillowsisyphus_riscv649.0.1-alt110.3.0-alt1ALT-PU-2022-4020-1-Fixed
python3-module-Pillowp109.4.0-alt29.4.0-alt2ALT-PU-2023-7942-3336131Fixed
python3-module-Pillowp10_e2k9.4.0-alt29.4.0-alt2ALT-PU-2023-8118-1-Fixed
python3-module-Pillowc10f19.4.0-alt29.4.0-alt2ALT-PU-2023-8182-2336766Fixed
python3-module-Pillowp119.0.1-alt110.3.0-alt1ALT-PU-2022-1236-1295017Fixed

References to Advisories, Solutions, and Tools

Hyperlink
Resource
https://pillow.readthedocs.io/en/stable/releasenotes/9.0.1.html#security
  • Release Notes
  • Vendor Advisory
https://github.com/python-pillow/Pillow/pull/3450
  • Third Party Advisory
GLSA-202211-10
  • Third Party Advisory
FEDORA-2022-ee15b98ea1
    FEDORA-2022-64332f2a7c

        1. Configuration 1

          cpe:2.3:a:python:pillow:*:*:*:*:*:*:*:*
          End excliding
          9.0.1

          Configuration 2

          cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*
          cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*
      VKontakte|Telegram|YouTube|Forum|GitHub|Bugzilla
      Version: v24.5.3
      Back to top