-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI
PythonPython| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| pillow | pip | < 2.5.0 | 2.5.0 |
Miggo AIRoot Cause AnalysisThe Debian bug report explicitly shows JpegImagePlugin.py's load_djpeg function constructs a shell command via os.system("djpeg %s >%s" % (self.filename, file)). This directly interpolates user-controlled input (self.filename) into a shell command without sanitization, enabling command injection. While other functions mentioned in reports (e.g., EpsImagePlugin.py) had tempfile issues (CVE-2014-1932), this is the only function clearly tied to command injection (CWE-78) via shell metacharacters as described in CVE-2014-3007.
KEV Misses 88% of Exploited CVEs- Get the report