Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Snyk:High] Upgrade pillow to 9.0.0 (due by 02/26/2022) #5020

Closed
1 task
Tracked by #137
pkfec opened this issue Jan 12, 2022 · 1 comment
Closed
1 task
Tracked by #137

[Snyk:High] Upgrade pillow to 9.0.0 (due by 02/26/2022) #5020

pkfec opened this issue Jan 12, 2022 · 1 comment
Labels
Security: general General security concern or issue Security: high Remediate within 30 days
Milestone
Sprint 17.2

Comments

@pkfec
Copy link
Contributor

pkfec commented Jan 12, 2022

Overview

Pillow is a PIL (Python Imaging Library) fork.

Affected versions of this package are vulnerable to Arbitrary Code Execution via PIL.ImageMath.eval which allows evaluation of arbitrary expressions, such as ones that use the Python exec method.

https://security.snyk.io/vuln/SNYK-PYTHON-PILLOW-2331901

###Detailed path
Introduced through: project@0.0.0 › pillow@8.3.2
Introduced through: project@0.0.0 › wagtail@2.11.8 › pillow@8.3.2

Remediation:

Upgrade pillow to version 9.0.0

Completion criteria:

  • Upgrade pillow to version 9.0.0
@pkfec pkfec added Security: high Remediate within 30 days Security: general General security concern or issue labels Jan 12, 2022
@pkfec pkfec added this to the Sprint 17.2 milestone Jan 12, 2022
@pkfec pkfec mentioned this issue Jan 12, 2022
Closed
1 task
@fec-jli fec-jli mentioned this issue Jan 19, 2022
Closed
@fec-jli fec-jli changed the title [Snyk:High] Arbitrary Code Execution (due by 02/26/2022) [Snyk:High] Upgrade pillow to 9.0.0 (due by 02/26/2022) Jan 19, 2022
@fec-jli fec-jli changed the title [Snyk:High] Upgrade pillow to 9.0.0 (due by 02/26/2022) [Snyk:Medium] Upgrade pillow to 9.0.0 (due by 02/26/2022) Jan 19, 2022
@fec-jli fec-jli changed the title [Snyk:Medium] Upgrade pillow to 9.0.0 (due by 02/26/2022) [Snyk:High] Upgrade pillow to 9.0.0 (due by 02/26/2022) Jan 19, 2022
@patphongs patphongs mentioned this issue Jan 27, 2022
Closed
1 task
@patphongs
Copy link
Member

Upgrading to Pillow 9 would be a risk to us since we are currently on a lower version of Wagtail. Closing this since Pillow is only used within our authenticated CMS system and does not pose an imminent risk.

@cnlucas cnlucas mentioned this issue Feb 2, 2022
Closed
@patphongs patphongs mentioned this issue Feb 29, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Security: general General security concern or issue Security: high Remediate within 30 days
Projects
None yet
Milestone
Sprint 17.2
Development

No branches or pull requests
3 participants
@pkfec @patphongs @JonellaCulmer