pillow is vulnerable to information disclosure. The vulnerability exists because the pillow doesn’t restrict the builtins available in eval
function of ImageMath.py
which allows an attacker to evaluate arbitrary expressions and gain access to sensitive information.
github.com/python-pillow/Pillow/commit/8531b01d6cdf0b70f256f93092caa2a5d91afc11
github.com/python-pillow/Pillow/pull/5923
lists.debian.org/debian-lts-announce/2022/01/msg00018.html
pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#restrict-builtins-available-to-imagemath-eval
pillow.readthedocs.io/en/stable/releasenotes/9.0.1.html#security
security.gentoo.org/glsa/202211-10
www.debian.org/security/2022/dsa-5053
www.mail-archive.com/[email protected]/msg32901.html