GMS-2022-348: Duplicate of ./pypi/Pillow/CVE-2022-24303.yml

March 11, 2022

If the path to the temporary directory on Linux or macOS contained a space, this would break removal of the temporary image file after im.show() (and related actions), and potentially remove an unrelated file. This been present since PIL.

References

github.com/advisories/GHSA-9j59-75qj-795w
github.com/python-pillow/Pillow/commit/427221ef5f19157001bf8b1ad7cfe0b905ca8c26
nvd.nist.gov/vuln/detail/CVE-2022-24303
pillow.readthedocs.io/en/stable/releasenotes/9.0.1.html

Detect and mitigate GMS-2022-348 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →