CVE-2022-22815 — pillow - security update · VulnScope

CVE-2022-22815

pillow - security update

6.5

MEDIUM

CVSS 3.1

EPSS 0.10%

Description

path_getbbox in path.c in Pillow before 9.0.0 improperly initializes ImagePath.Path.

How to fix CVE-2022-22815

To remediate CVE-2022-22815, upgrade the affected package to a fixed version below.

Alpine/py3-pillow—upgrade to 8.4.0-r2 or later
Bitnami/pillow—upgrade to 9.0.0 or later
—upgrade to 5.4.1-2+deb10u3 or later
—upgrade to 4.0.0-4+deb9u4 or later
—upgrade to 8.1.2+dfsg-0.3+deb11u1 or later
—upgrade to 9.0.0 or later
—upgrade to 9.0.0 or later

Is CVE-2022-22815 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (7)

from 0, < 8.4.0-r2
from 0, < 9.0.0
from 0, < 5.4.1-2+deb10u3
from 0, < 4.0.0-4+deb9u4
from 0, < 8.1.2+dfsg-0.3+deb11u1
from 0, < 9.0.0
from 0, < 9.0.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N
osv	CVSS 3.1	MEDIUM6.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

References (15)