We use cookies to improve your experience on our site.
AVID-2026-R1300
Description
Vulnerability CVE-2023-50447
Details
Pillow through 10.1.0 allows PIL.ImageMath.eval Arbitrary Code Execution via the environment parameter, a different vulnerability than CVE-2022-22817 (which was about the expression parameter).
Reason for inclusion in AVID: CVE-2023-50447 describes an arbitrary code execution vulnerability in Pillow (PIL.ImageMath.eval via the environment parameter). Pillow is a widely used image processing library in AI/data pipelines, and thus a component commonly involved in building, training, and deploying general-purpose AI systems. This is a software vulnerability affecting a software stack used in AI workflows, not hardware/firmware-only. The CVE description and references provide clear evidence of the vulnerability and its exploit nature.
References
- NVD entry
- https://github.com/python-pillow/Pillow/releases
- https://devhub.checkmarx.com/cve-details/CVE-2023-50447/
- http://www.openwall.com/lists/oss-security/2024/01/20/1
- https://lists.debian.org/debian-lts-announce/2024/01/msg00019.html
- https://duartecsantos.github.io/2024-01-02-CVE-2023-50447/
Affected or Relevant Artifacts
- Developer: n/a
- Deployer: n/a
- Artifact Details:
| Type | Name |
|---|---|
| System | n/a |
Impact
AVID Taxonomy Categorization
- Risk domains: Security
- SEP subcategories: S0100: Software Vulnerability
- Lifecycle stages: L06: Deployment
Other information
- Report Type: Advisory
- Credits:
- Date Reported: 2024-01-19
- Version: 0.3.3
- AVID Entry