CVE-2022-22817: 
Python vulnerability analysis and mitigation

PIL.ImageMath.eval in Pillow before 9.0.0 allows evaluation of arbitrary expressions, such as ones that use the Python exec method. A lambda expression could also be used. The vulnerability was initially discovered and disclosed in January 2022, affecting the Python Imaging Library (PIL) Pillow package (Pillow Release Notes).

The vulnerability exists in the PIL.ImageMath.eval functionality of Pillow versions prior to 9.0.0. The issue allows for unrestricted evaluation of arbitrary expressions, including those using the Python exec method and lambda expressions. The vulnerability has been assigned a CVSS v3.1 Base Score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (NVD).

The vulnerability could potentially lead to arbitrary code execution if an attacker can provide malicious input to the ImageMath.eval function. This could result in complete system compromise, allowing attackers to execute arbitrary commands with the privileges of the application running the Pillow library (Debian Security).

The vulnerability was initially addressed in Pillow 9.0.0 by restricting the builtins available to PIL.ImageMath.eval(). However, this fix was incomplete as it did not prevent builtins available to lambda expressions. A complete fix was provided in version 9.0.1. Users are recommended to upgrade to Pillow version 9.0.1 or later (Pillow Release Notes).