CVE in Pillow 10.1.0
vanHavel opened this issue · comments
Hi,
our security scanner (trivy) reports a HIGH severity vulnerability in the Pillow version (10.1.0) included in the label-studio docker image (currently 1.11.0 or latest).
$ trivy image --security-checks vuln heartexlabs/label-studio:1.11.0
┌─────────────────────────┬────────────────┬──────────┬──────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├─────────────────────────┼────────────────┼──────────┼──────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ Pillow (METADATA) │ CVE-2023-50447 │ HIGH │ │ 10.1.0 │ 10.2.0 │ pillow:Arbitrary Code Execution via the environment │
│ │ │ │ │ │ │ parameter │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-50447 │
├─────────────────────────┼────────────────┼──────────┤ ├───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
The vulnerability is fixed in Pillow >= 10.2.0.
Is it possible to upgrade Pillow by a minor version to fix this CVE?
Hi @vanHavel,
Thanks for letting us know about this! The vulnerability doesn't actually affect Label Studio because to trigger it, one has to allow user input to reach the environment parameter of PIL.ImageMath.eval (see details here) - we don't actually have ImageMath imported anywhere, nor do we use eval(), so Label Studio is not affected.
We'll update this dependency, but because the vulnerability doesn't impact our project, this work will be relatively low priority for us.
Cheers,
Jo