You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Affected versions of this package are vulnerable to Arbitrary Code Execution via PIL.ImageMath.eval which allows evaluation of arbitrary expressions, such as ones that use the Python exec method.
fec-jli
changed the title
[Snyk:High] Arbitrary Code Execution (due by 02/26/2022)
[Snyk:High] Upgrade pillow to 9.0.0 (due by 02/26/2022)
Jan 19, 2022
fec-jli
changed the title
[Snyk:High] Upgrade pillow to 9.0.0 (due by 02/26/2022)
[Snyk:Medium] Upgrade pillow to 9.0.0 (due by 02/26/2022)
Jan 19, 2022
fec-jli
changed the title
[Snyk:Medium] Upgrade pillow to 9.0.0 (due by 02/26/2022)
[Snyk:High] Upgrade pillow to 9.0.0 (due by 02/26/2022)
Jan 19, 2022
Upgrading to Pillow 9 would be a risk to us since we are currently on a lower version of Wagtail. Closing this since Pillow is only used within our authenticated CMS system and does not pose an imminent risk.
Overview
Pillow is a PIL (Python Imaging Library) fork.
Affected versions of this package are vulnerable to Arbitrary Code Execution via PIL.ImageMath.eval which allows evaluation of arbitrary expressions, such as ones that use the Python exec method.
https://security.snyk.io/vuln/SNYK-PYTHON-PILLOW-2331901
###Detailed path
Introduced through: project@0.0.0 › pillow@8.3.2
Introduced through: project@0.0.0 › wagtail@2.11.8 › pillow@8.3.2
Remediation:
Upgrade pillow to version 9.0.0
Completion criteria:
The text was updated successfully, but these errors were encountered: