CVE-2022-24303
📋 TL;DR
This vulnerability in Pillow (Python Imaging Library) allows attackers to delete arbitrary files on the system due to improper handling of spaces in temporary pathnames. Attackers can exploit this by crafting malicious filenames that cause the library to misinterpret temporary file paths. Any application using vulnerable versions of Pillow for image processing is affected.
💻 Affected Systems
- Pillow (Python Imaging Library)
📦 What is this software?
Fedora by Fedoraproject
Fedora by Fedoraproject
Pillow by Python
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through deletion of critical system files, potentially causing system crashes, data loss, or enabling further attacks by removing security controls.
Likely Case
Data loss or application disruption through deletion of application files, configuration files, or user data, leading to service outages or corrupted data.
If Mitigated
Limited impact with proper file permissions and sandboxing, potentially only affecting non-critical temporary files within the application's scope.
🎯 Exploit Status
The vulnerability is in the core library and can be triggered by processing specially crafted filenames. Public proof-of-concept exists in the GitHub pull request.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 9.0.1 and later
Vendor Advisory: https://pillow.readthedocs.io/en/stable/releasenotes/9.0.1.html#security
Restart Required: No
Instructions:
1. Update Pillow using pip: 'pip install --upgrade pillow>=9.0.1' 2. Verify the update with: 'pip show pillow' 3. Restart any running Python applications using Pillow.
🔧 Temporary Workarounds
Input Validation
allValidate and sanitize all user-supplied filenames before passing to Pillow functions
Sandbox Execution
linuxRun Pillow in a container or sandbox with restricted file system access
docker run --read-only -v /tmp:/tmp:ro your_app
🧯 If You Can't Patch
- Implement strict input validation to reject filenames containing spaces or special characters
- Run the application with minimal file system permissions and in a chroot/jail environment
🔍 How to Verify
Check if Vulnerable:
Check Pillow version with: python -c "import PIL; print(PIL.__version__)" and verify it's below 9.0.1Check Version:
python -c "import PIL; print(PIL.__version__)" or pip show pillowVerify Fix Applied:
After updating, verify version is 9.0.1 or higher with: python -c "import PIL; print(PIL.__version__)"📡 Detection & Monitoring
Log Indicators:
- Unexpected file deletion errors
- Permission denied errors for system files
- Application crashes during image processing
Network Indicators:
- None - this is a local file system vulnerability
SIEM Query:
source="application_logs" AND ("Permission denied" OR "FileNotFoundError" OR "OSError") AND process="python"🔗 References
- https://github.com/python-pillow/Pillow/pull/3450
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W4ZUXPKEX72O3E5IHBPVY5ZCPMJ4GHHV/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XR6UP2XONXOVXI4446VY72R63YRO2YTP/
- https://pillow.readthedocs.io/en/stable/releasenotes/9.0.1.html#security
- https://security.gentoo.org/glsa/202211-10
- https://github.com/python-pillow/Pillow/pull/3450
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W4ZUXPKEX72O3E5IHBPVY5ZCPMJ4GHHV/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XR6UP2XONXOVXI4446VY72R63YRO2YTP/
- https://pillow.readthedocs.io/en/stable/releasenotes/9.0.1.html#security
- https://security.gentoo.org/glsa/202211-10
