CVE-2014-3007: Pillow command injection

May 17, 2022 (updated October 9, 2024)

Python Image Library (PIL) 1.1.7 and earlier and Pillow before 2.5.0 might allow remote attackers to execute arbitrary commands via shell metacharacters in unspecified vectors related to CVE-2014-1932, possibly JpegImagePlugin.py.

References

bugs.debian.org/cgi-bin/bugreport.cgi?bug=737059
github.com/advisories/GHSA-8m9x-pxwq-j236
github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2014-87.yaml
github.com/python-pillow/Pillow
nvd.nist.gov/vuln/detail/CVE-2014-3007

Code Behaviors & Features

Detect and mitigate CVE-2014-3007 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →