Bug 2052682 (CVE-2022-24303)
| Summary: | CVE-2022-24303 python-pillow: temporary directory with a space character allows removal of unrelated file after im.show() and related actions | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Guilherme de Almeida Suckevicz <gsuckevi> |
| Component: | vulnerability | Assignee: | Nobody <nobody> |
| Status: | NEW --- | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | bdettelb, cstratak, epel-packagers-sig, infra-sig, lbalhar, manisandro, orion, python-maint, python-sig, torsava |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: |
A flaw was found in python-pillow. The vulnerability occurs due to the not validated remove operation, leading to Improper input validation. This flaw allows an attacker to externally-influenced input commands that modify or remove the intended command.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2052683, 2052684, 2052685, 2053489 | ||
| Bug Blocks: | 2052688 | ||
|
Description
Guilherme de Almeida Suckevicz
2022-02-09 19:06:02 UTC
Created mingw-python-pillow tracking bugs for this issue: Affects: fedora-all [bug 2052683] Created python-pillow tracking bugs for this issue: Affects: fedora-all [bug 2052684] Created python3-pillow tracking bugs for this issue: Affects: epel-7 [bug 2052685] Upstream commit https://github.com/python-pillow/Pillow/commit/427221ef5f19157001bf8b1ad7cfe0b905ca8c26 |