GSA_kwCzR0hTQS05ajU5LTc1cWotNzk1d80yIg

High CVSS: 8.8 EPSS: 0.00528% (0.66194 Percentile) EPSS:

Permalink JSON

Path traversal in Pillow

Affected Packages	Affected Versions	Fixed Versions
pypi:Pillow	< 9.0.1	9.0.1
4,378 Dependent packages 88,899 Dependent repositories 167,064,457 Downloads last month Affected Version Ranges All affected versions 1.7.0, 1.7.1, 1.7.2, 1.7.3, 1.7.4, 1.7.5, 1.7.6, 1.7.7, 1.7.8, 2.0.0, 2.1.0, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.3.2, 2.4.0, 2.5.0, 2.5.1, 2.5.2, 2.5.3, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.8.0, 2.8.1, 2.8.2, 2.9.0, 3.0.0, 3.1.0, 3.1.1, 3.1.2, 3.2.0, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.4.0, 3.4.1, 3.4.2, 4.0.0, 4.1.0, 4.1.1, 4.2.0, 4.2.1, 4.3.0, 5.0.0, 5.1.0, 5.2.0, 5.3.0, 5.4.0, 5.4.1, 6.0.0, 6.1.0, 6.2.0, 6.2.1, 6.2.2, 7.0.0, 7.1.0, 7.1.1, 7.1.2, 7.2.0, 8.0.0, 8.0.1, 8.1.0, 8.1.1, 8.1.2, 8.2.0, 8.3.0, 8.3.1, 8.3.2, 8.4.0, 9.0.0 All unaffected versions 9.0.1, 9.1.0, 9.1.1, 9.2.0, 9.3.0, 9.4.0, 9.5.0, 10.0.0, 10.0.1, 10.1.0, 10.2.0, 10.3.0, 10.4.0, 11.0.0, 11.1.0, 11.2.0, 11.2.1, 11.3.0

Pillow before 9.0.1 allows attackers to delete files because spaces in temporary pathnames are mishandled.

References:

Identifiers

GHSA-9j59-75qj-795w

CVE-2022-24303

Risk

Severity

High

CVSS

CVSS Score: 8.8

CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS

EPSS Percentage: 0.00528

EPSS Percentile: 0.66194

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/python-pillow/Pillow

Date and time

Published

over 3 years ago

Updated

10 months ago

API

JSON

ecosyste.ms

Data

Tools

Indexes

Applications

Experiments

Advisories