Miggo Logo

CVE-2022-24303: Path traversal in Pillow

9.1

CVSS Score
3.1

Basic Information

EPSS Score
0.64813%
Published
3/11/2022
Updated
10/11/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
Pillowpip< 9.0.19.0.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper handling of temporary paths containing spaces in multiple ImageShow viewer classes. The pre-patch implementations used shell commands (with 'rm -f $im' patterns) and tempfile.mkstemp without proper path quoting. This allowed attackers to manipulate temporary filenames with spaces to delete arbitrary files. The commit 427221e explicitly replaces these vulnerable shell-based removal patterns with os.remove and subprocess calls without shell=True, confirming these functions were the source of the path traversal vulnerability. The high confidence comes from direct correlation between the patch changes and CVE description of space mishandling in temporary paths.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Pillow ***or* *.*.* *llows *tt**k*rs to **l*t* *il*s ****us* sp***s in t*mpor*ry p*t*n*m*s *r* mis**n*l**.

Reasoning

T** vuln*r**ility st*ms *rom improp*r **n*lin* o* t*mpor*ry p*t*s *ont*inin* sp***s in multipl* Im***S*ow vi*w*r *l*ss*s. T** pr*-p*t** impl*m*nt*tions us** s**ll *omm*n*s (wit* 'rm -* $im' p*tt*rns) *n* `t*mp*il*.mkst*mp` wit*out prop*r p*t* quotin*