FeedlyFeedly
CVEsCVEs
Threat IntelligenceThreat Intelligence
Threat IntelligenceThreat Intelligence
Log in
ChangelogChangelog
ChangelogChangelog
Log in
Log in
Start Free Trial
Start Free Trial
FeedlyFeedly
CVEsCVEs
Threat IntelligenceThreat Intelligence
Threat IntelligenceThreat Intelligence
Log in
ChangelogChangelog
ChangelogChangelog
Log in
Log in
Start Free Trial
Start Free Trial

Exploit
CVE-2023-50447

Improper Control of Generation of Code ('Code Injection') (CWE-94)

Published: Jan 19, 2024 / Updated: 10mo ago

010
CVSS 8.1EPSS 0.05%High
CVE info copied to clipboard

Summary

Pillow through version 10.1.0 contains a vulnerability that allows arbitrary code execution via the environment parameter in PIL.ImageMath.eval. This is distinct from the previously identified CVE-2022-22817, which pertained to the expression parameter.

Impact

This vulnerability could allow an attacker to execute arbitrary code within the context of the application using Pillow. The potential impacts include: 1. Unauthorized access to the system 2. Data theft or manipulation 3. Further system compromise 4. Potential for lateral movement within the network The vulnerability has a CVSS v3.1 base score of 8.1, classified as "HIGH" severity, indicating a significant risk that should be prioritized for patching. The CVSS vector string is CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H, which indicates: - Network attack vector (AV:N) - High attack complexity (AC:H) - No privileges required (PR:N) - No user interaction required (UI:N) - Unchanged scope (S:U) - High impact on confidentiality, integrity, and availability (C:H/I:H/A:H) This scoring suggests that while the attack is complex to execute, it can be initiated remotely without user interaction or privileges, and can have severe consequences if successful.

Exploitation

One proof-of-concept exploit is available on github.io. There is no evidence of proof of exploitation at the moment.

Patch

A patch is available. Oracle has released a patch for this vulnerability, which was added on July 16, 2024. The patch can be found in the Oracle Critical Patch Update for July 2024, available at https://www.oracle.com/security-alerts/cpujul2024.html. Additionally, users should update Pillow to a version newer than 10.1.0 as soon as possible.

Mitigation

To mitigate this vulnerability: 1. Update Pillow to a version newer than 10.1.0 as soon as possible. 2. Apply the Oracle patch if you're using an Oracle product that incorporates Pillow. 3. If immediate updating is not possible, consider temporarily disabling or restricting access to functionality that uses PIL.ImageMath.eval, especially if it processes user-controlled input. 4. Implement input validation and sanitization for any data passed to PIL.ImageMath.eval. 5. Monitor system logs for any suspicious activities related to Pillow usage. 6. Use security tools like Qualys or Nessus, which can detect this vulnerability, to scan your systems regularly. 7. Keep all systems and dependencies up to date with the latest security patches. Prioritize patching efforts based on the criticality of affected systems and their exposure to potential attackers. Systems directly accessible from the internet or processing untrusted input should be addressed first.

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Timeline

CVE Assignment

NVD published the first details for CVE-2023-50447

Jan 19, 2024 at 12:15 PM
First Article

Feedly found the first article mentioning CVE-2023-50447. See article

Jan 19, 2024 at 8:21 PM / National Vulnerability Database
Vendor Advisory

GitHub Advisories released a security advisory.

Jan 19, 2024 at 9:30 PM
CVSS Estimate

Feedly estimated the CVSS score as MEDIUM

Jan 20, 2024 at 7:27 AM
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Jan 20, 2024 at 5:20 PM
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Qualys (996819)

Jan 22, 2024 at 12:00 AM
Vendor Advisory

RedHat CVE advisory released a security advisory (CVE-2023-50447).

Jan 22, 2024 at 5:45 AM
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Nessus (189400)

Jan 24, 2024 at 6:15 AM
EPSS

EPSS Score was set to: 0.05% (Percentile: 13.8%)

Jan 24, 2024 at 6:32 PM
Static CVE Timeline Graph

Affected Systems

Debian/debian_linux
+null more

Exploits

https://duartecsantos.github.io/2023-01-02-CVE-2023-50447/
+null more

Patches

Oracle
+null more

Attack Patterns

CAPEC-242: Code Injection
+null more

Vendor Advisory

Oracle Critical Patch Update Advisory - October 2024
Oracle Critical Patch Updates / 35d
Oracle Id: cpuoct2024 Release Date: 2024-10-15 Update Date: 2024-10-15 Description A Critical Patch Update is a collection of patches for multiple security vulnerabilities. These patches address vulnerabilities in Oracle code and in third party components included in Oracle products. These patches are usually cumulative, but each advisory describes only the security patches added since the previous Critical Patch Update Advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security patches. Refer to “Critical Patch Updates, Security Alerts and Bulletins” for information about Oracle Security advisories. Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released security patches. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches.

References

DSA-5704-1 pillow - security update
Debian Security / 5mo
Multiple security issues were discovered in Pillow, a Python imaging library, which could result in denial of service or the execution of arbitrary code if malformed images are processed. https://security-tracker.debian.org/tracker/DSA-5704-1
DLA-3724-1 pillow - security update
Debian Security / 9mo
https://security-tracker.debian.org/tracker/DLA-3724-1

News

RHEL 7 : python-pillow (RHSA-2024:0857)
Newest Plugins from Tenable / 11d
The remote Red Hat host is missing a security update for python-pillow. The remote Redhat Enterprise Linux 7 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2024:0857 advisory.
Multiple vulnerabilities in Oracle Financial Services Compliance Studio
Security feed from CyberSecurity Help / 35d
The vulnerability exists due to a use-after-free error within the jsonParseAddNodeArray() function in sqlite3.c. A remote attacker can pass specially crafted json data to the application and perform a denial of service (DoS) attack. A remote attacker can send specially crafted HTTP requests to the application and perform a denial of service (DoS) attack.
euleros EulerOS-SA-2024-2488: An update for python-pillow is now available for EulerOS V2.0SP8
Recently Released Plugin Pipeline from Tenable / 56d
Released Last Updated: 9/24/2024 CVEs: CVE-2024-28219 , CVE-2023-50447 Plugins: 207611
Multiple vulnerabilities in IBM PowerVC
Security feed from CyberSecurity Help / 3mo
A remote attacker can pass specially crafted file to the library and execute arbitrary code on the system. A remote attacker can send a specially crafted input to the application and execute arbitrary code on the target system.
Code injection in IBM Storage Ceph
Security feed from CyberSecurity Help / 3mo
A remote attacker can send a specially crafted input to the application and execute arbitrary code on the target system. The vulnerability allows a remote attacker to execute arbitrary code on the target system.
See 135 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:High
Privileges Required:None
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

CVSS 8.1(18246)CWE-94(4001)CWE-77(2525)CWE-95(67)Debian(8948)Python(230)

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI

Feedly Threat Intelligence30-day free trial