CVE-2022-24303

Vulnerability

In Pillow versions prior to 9.0.1, the ImageShow module's show_file function used tempfile.mkstemp() to create a temporary file path. When the path contained spaces, the filename was not properly quoted in shell commands, leading to a command injection-like scenario where an attacker could manipulate the temporary file name to delete arbitrary files on the system. The affected component is PIL.ImageShow in Pillow/ImageShow.py. The vulnerability was introduced in an unknown version and fixed in version 9.0.1. [1][2]

Exploitation

An attacker must be able to influence the input file name or the environment such that the temporary path includes spaces. The typical attack vector involves a user opening a malicious image file with a crafted name that includes spaces and shell metacharacters. When Pillow's ImageShow creates a temporary file and passes it to a shell command (e.g., open on macOS or xdg-open on Linux), the space in the path causes the shell to interpret parts of the path as separate arguments, potentially allowing deletion of other files. The attacker does not need authentication, only the ability to supply a file path with spaces. [2][3]

Impact

Successful exploitation allows an attacker to delete arbitrary files on the system with the privileges of the user running the Pillow application. This can lead to denial of service, data loss, or privilege escalation if critical system files are removed. The vulnerability does not allow reading or modifying files, only deletion. [2]

Mitigation

Pillow version 9.0.1, released on 2022-03-28, fully addresses the vulnerability by rewriting the show_file methods to avoid using temporary files with shell commands and instead directly passing the file to the viewer program. Users should upgrade to Pillow 9.0.1 or later. No workarounds are available for versions prior to 9.0.1. The vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities (KEV) catalog. [1][4]