<p>Upgrade to version <code>2.5.0</code> or greater.</p>

Arbitrary Command Execution Affecting pillow package, versions [,2.5.0)

Snyk CVSS

Attack Complexity Low

Confidentiality High

Integrity High

Availability High

Threat Intelligence

EPSS 0.2% (58^th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID SNYK-PYTHON-PILLOW-40037
published 5 May 2014
disclosed 27 Apr 2014
credit Michael Brown

Report a new vulnerability Found a mistake?

Introduced: 27 Apr 2014

CVE-2014-3007 Open this link in a new tab CWE-78 Open this link in a new tab

How to fix?

Upgrade to version 2.5.0 or greater.

Overview

Pillow is a Python Imaging Library (Fork).

Affected versions of this package are vulnerable to Pillow: metacharacter injection issue attacks. Python Image Library (PIL) 1.1.7 and earlier and Pillow 2.3 might allow remote attackers to execute arbitrary commands via shell metacharacters in unspecified vectors related to CVE-2014-1932, possibly JpegImagePlugin.py.