CVE-2014-3007
critical
CVSS v3
—
CVSS v2
10.0
VIR risk
10.0
Description
Python Image Library (PIL) 1.1.7 and earlier and Pillow 2.3 might allow remote attackers to execute arbitrary commands via shell metacharacters in unspecified vectors related to CVE-2014-1932, possibly JpegImagePlugin.py.
Predictions
Exploit likelihood
30%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2014-3007
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| debian | bookworm | fixed | 2.4.0-1 |
| debian | bullseye | fixed | 2.4.0-1 |
| debian | forky | fixed | 2.4.0-1 |
| debian | sid | fixed | 2.4.0-1 |
| debian | trixie | fixed | 2.4.0-1 |
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| PyPI | pillow | <2.5.0 | 2.5.0 |
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| python | pillow | 2.3.0 | |
| pythonware | python_imaging_library | {"endIncluding":"1.1.7"} | |
References
- http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-1932.html
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737059
- https://nvd.nist.gov/vuln/detail/CVE-2014-3007
- https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2014-87.yaml
- https://github.com/python-pillow/Pillow
- https://security-tracker.debian.org/tracker/CVE-2014-3007
CWEs
CWE-78
Verify integrity in audit chain (admin only). AS-IS.