Critical severityNVD Advisory· Published Jan 19, 2024· Updated Aug 2, 2024
CVE-2023-50447
CVE-2023-50447
Description
Pillow through 10.1.0 allows PIL.ImageMath.eval Arbitrary Code Execution via the environment parameter, a different vulnerability than CVE-2022-22817 (which was about the expression parameter).
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
PillowPyPI | < 10.2.0 | 10.2.0 |
Affected products
48- Pillow/Pillowdescription
- osv-coords47 versionspkg:apk/chainguard/kubeflow-pipelines-visualization-serverpkg:apk/chainguard/py3.10-pillowpkg:apk/chainguard/py3.10-seabornpkg:apk/chainguard/py3.11-pillowpkg:apk/chainguard/py3.11-seabornpkg:apk/chainguard/py3.12-pillowpkg:apk/chainguard/py3.12-seabornpkg:apk/chainguard/py3.13-pillowpkg:apk/chainguard/py3.13-seabornpkg:apk/chainguard/py3-pillowpkg:apk/chainguard/py3-seabornpkg:apk/chainguard/py3-supported-pillowpkg:apk/chainguard/py3-supported-seabornpkg:apk/chainguard/pytorchpkg:apk/wolfi/kubeflow-pipelines-visualization-serverpkg:apk/wolfi/py3.10-pillowpkg:apk/wolfi/py3.10-seabornpkg:apk/wolfi/py3.11-pillowpkg:apk/wolfi/py3.11-seabornpkg:apk/wolfi/py3.12-pillowpkg:apk/wolfi/py3.12-seabornpkg:apk/wolfi/py3.13-pillowpkg:apk/wolfi/py3.13-seabornpkg:apk/wolfi/py3-pillowpkg:apk/wolfi/py3-seabornpkg:apk/wolfi/py3-supported-pillowpkg:apk/wolfi/py3-supported-seabornpkg:apk/wolfi/pytorchpkg:bitnami/pillowpkg:pypi/pillowpkg:rpm/almalinux/python3-pillowpkg:rpm/almalinux/python3-pillow-develpkg:rpm/almalinux/python3-pillow-docpkg:rpm/almalinux/python3-pillow-tkpkg:rpm/opensuse/python-Pillow&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/python-Pillow&distro=openSUSE%20Tumbleweedpkg:rpm/suse/python-Pillow&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/python-Pillow&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-ESPOSpkg:rpm/suse/python-Pillow&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-LTSSpkg:rpm/suse/python-Pillow&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Python%203%2015%20SP5pkg:rpm/suse/python-Pillow&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP4-LTSSpkg:rpm/suse/python-Pillow&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP4pkg:rpm/suse/python-Pillow&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/python-Pillow&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/python-Pillow&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/python-Pillow&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/python-Pillow&distro=SUSE%20Package%20Hub%2015%20SP5
< 2.4.1-r2+ 46 more
- (no CPE)range: < 2.4.1-r2
- (no CPE)range: < 10.2.0-r0
- (no CPE)range: < 0.13.2-r0
- (no CPE)range: < 10.2.0-r0
- (no CPE)range: < 0.13.2-r0
- (no CPE)range: < 10.2.0-r0
- (no CPE)range: < 0.13.2-r0
- (no CPE)range: < 10.2.0-r0
- (no CPE)range: < 0.13.2-r0
- (no CPE)range: < 10.2.0-r0
- (no CPE)range: < 0.13.2-r0
- (no CPE)range: < 10.2.0-r0
- (no CPE)range: < 0.13.2-r0
- (no CPE)range: < 2.1.2-r3
- (no CPE)range: < 2.4.1-r2
- (no CPE)range: < 10.2.0-r0
- (no CPE)range: < 0.13.2-r0
- (no CPE)range: < 10.2.0-r0
- (no CPE)range: < 0.13.2-r0
- (no CPE)range: < 10.2.0-r0
- (no CPE)range: < 0.13.2-r0
- (no CPE)range: < 10.2.0-r0
- (no CPE)range: < 0.13.2-r0
- (no CPE)range: < 10.2.0-r0
- (no CPE)range: < 0.13.2-r0
- (no CPE)range: < 10.2.0-r0
- (no CPE)range: < 0.13.2-r0
- (no CPE)range: < 2.1.2-r3
- (no CPE)range: < 10.1.1
- (no CPE)range: < 10.2.0
- (no CPE)range: < 5.1.1-18.el8_9.1.alma.1
- (no CPE)range: < 5.1.1-18.el8_9.1.alma.1
- (no CPE)range: < 5.1.1-18.el8_9.1.alma.1
- (no CPE)range: < 5.1.1-18.el8_9.1.alma.1
- (no CPE)range: < 7.2.0-150300.3.6.1
- (no CPE)range: < 10.2.0-1.1
- (no CPE)range: < 4.2.1-3.26.1
- (no CPE)range: < 9.5.0-150400.5.9.1
- (no CPE)range: < 9.5.0-150400.5.9.1
- (no CPE)range: < 9.5.0-150400.5.9.1
- (no CPE)range: < 9.5.0-150400.5.9.1
- (no CPE)range: < 9.5.0-150400.5.9.1
- (no CPE)range: < 4.2.1-3.26.1
- (no CPE)range: < 5.2.0-3.23.1
- (no CPE)range: < 4.2.1-3.26.1
- (no CPE)range: < 5.2.0-3.23.1
- (no CPE)range: < 8.4.0-bp155.3.3.1
Patches
Vulnerability mechanics
References
12- github.com/advisories/GHSA-3f63-hfp8-52jqghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-50447ghsaADVISORY
- www.openwall.com/lists/oss-security/2024/01/20/1ghsamailing-listWEB
- devhub.checkmarx.com/cve-details/CVE-2023-50447ghsaWEB
- duartecsantos.github.io/2023-01-02-CVE-2023-50447ghsaWEB
- duartecsantos.github.io/2024-01-02-CVE-2023-50447ghsaWEB
- github.com/python-pillow/Pillow/commit/45c726fd4daa63236a8f3653530f297dc87b160aghsaWEB
- github.com/python-pillow/Pillow/releasesghsaWEB
- lists.debian.org/debian-lts-announce/2024/01/msg00019.htmlghsamailing-listWEB
- pillow.readthedocs.io/en/stable/releasenotes/10.2.0.htmlghsaWEB
- devhub.checkmarx.com/cve-details/CVE-2023-50447/mitre
- duartecsantos.github.io/2024-01-02-CVE-2023-50447/mitre
News mentions
0No linked articles in our index yet.